skills/dnyoussef/ai-chrome-extension/when-reviewing-github-pr-use-github-code-review/Gen Agent Trust Hub
when-reviewing-github-pr-use-github-code-review
Warn
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's workflow depends on executing multiple shell scripts located in a
scripts/directory (e.g.,github-api.sh,security-scan.sh,perf-analysis.sh,code-quality.sh,test-coverage.sh, andsecurity-fixes.sh). Since these files are not included in the provided skill package, their contents cannot be audited, posing a risk of unverified system command execution. - [REMOTE_CODE_EXECUTION]: The skill frequently uses
npx claude-flow@alphato manage agent swarms and shared memory. This command downloads and executes code from the npm registry at runtime from a source that is not listed as a trusted vendor, introducing an unverified external dependency. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface Detected. The skill processes untrusted content from external GitHub Pull Requests (metadata, diffs, and comments), which could contain malicious instructions designed to manipulate the agent swarm's behavior.
- Ingestion points: Data is brought into the agent context via the
github-api.sh fetch-prcommand and themcp__flow-nexus__github_repo_analyzetool as described in Phase 1 of the SOP. - Boundary markers: The skill instructions do not specify any boundary markers or instructions to isolate the PR content from the agent's control logic.
- Capability inventory: The agents involved have significant system access, including the ability to run shell scripts, execute
npxpackages, and perform write operations to GitHub repositories via API. - Sanitization: There is no evidence of validation or sanitization of the PR data before it is analyzed by the specialized agents or used to generate final review reports.
Audit Metadata