when-reviewing-github-pr-use-github-code-review

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's workflow depends on executing multiple shell scripts located in a scripts/ directory (e.g., github-api.sh, security-scan.sh, perf-analysis.sh, code-quality.sh, test-coverage.sh, and security-fixes.sh). Since these files are not included in the provided skill package, their contents cannot be audited, posing a risk of unverified system command execution.
  • [REMOTE_CODE_EXECUTION]: The skill frequently uses npx claude-flow@alpha to manage agent swarms and shared memory. This command downloads and executes code from the npm registry at runtime from a source that is not listed as a trusted vendor, introducing an unverified external dependency.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface Detected. The skill processes untrusted content from external GitHub Pull Requests (metadata, diffs, and comments), which could contain malicious instructions designed to manipulate the agent swarm's behavior.
  • Ingestion points: Data is brought into the agent context via the github-api.sh fetch-pr command and the mcp__flow-nexus__github_repo_analyze tool as described in Phase 1 of the SOP.
  • Boundary markers: The skill instructions do not specify any boundary markers or instructions to isolate the PR content from the agent's control logic.
  • Capability inventory: The agents involved have significant system access, including the ability to run shell scripts, execute npx packages, and perform write operations to GitHub repositories via API.
  • Sanitization: There is no evidence of validation or sanitization of the PR data before it is analyzed by the specialized agents or used to generate final review reports.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 03:21 AM
Security Audit — agent-trust-hub — when-reviewing-github-pr-use-github-code-review