agent-loop-autoreview
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted content from GitHub PR comments to drive agent actions.
- Ingestion points: Pull request comments and reviews are fetched via
gh apiinSKILL.md. - Boundary markers: The skill lacks boundary markers or instructions to ignore embedded instructions when the agent processes the extracted
🤖 Prompt for AI Agentssection. - Capability inventory: The skill has significant capabilities, including file system modification, shell command execution (
npm run test,pytest,ruff), and network operations viagit pushandgh pr merge. - Sanitization: Although the skill includes "Safety Gating" to avoid sensitive paths (like
.env) and untrusted contributors, it does not sanitize the actual code or prompts extracted from the PR comments before execution. - [COMMAND_EXECUTION]: The skill executes validation commands including
npm run test,pytest,ruff, andnpx tsc. If a malicious suggestion from a PR comment is applied, any code included in that suggestion could be executed with the agent's privileges during the test phase. - [COMMAND_EXECUTION]: The skill uses the
gh(GitHub CLI) to perform administrative actions such as fetching review threads and merging pull requests. - [DATA_EXFILTRATION]: The skill uses
git pushto transmit local code changes to remote repositories, which constitutes a standard but functional path for data to leave the local environment.
Audit Metadata