agent-loop-autoreview

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted content from GitHub PR comments to drive agent actions.
  • Ingestion points: Pull request comments and reviews are fetched via gh api in SKILL.md.
  • Boundary markers: The skill lacks boundary markers or instructions to ignore embedded instructions when the agent processes the extracted 🤖 Prompt for AI Agents section.
  • Capability inventory: The skill has significant capabilities, including file system modification, shell command execution (npm run test, pytest, ruff), and network operations via git push and gh pr merge.
  • Sanitization: Although the skill includes "Safety Gating" to avoid sensitive paths (like .env) and untrusted contributors, it does not sanitize the actual code or prompts extracted from the PR comments before execution.
  • [COMMAND_EXECUTION]: The skill executes validation commands including npm run test, pytest, ruff, and npx tsc. If a malicious suggestion from a PR comment is applied, any code included in that suggestion could be executed with the agent's privileges during the test phase.
  • [COMMAND_EXECUTION]: The skill uses the gh (GitHub CLI) to perform administrative actions such as fetching review threads and merging pull requests.
  • [DATA_EXFILTRATION]: The skill uses git push to transmit local code changes to remote repositories, which constitutes a standard but functional path for data to leave the local environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 03:11 AM
Security Audit — agent-trust-hub — agent-loop-autoreview