Skills
skills/eho/agent-skills/user-story-reviewer/Gen Agent Trust Hub

user-story-reviewer

Pass

Audited by Gen Agent Trust Hub on Mar 27, 2026

Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data from external sources.
  • Ingestion points: The agent is instructed to read requirements from gh issue view and code diffs from gh pr diff in the Workflow section of SKILL.md.
  • Capability inventory: The agent has extensive capabilities including shell access, the ability to checkout and run code, and the power to commit changes and merge PRs.
  • Boundary markers: The instructions lack boundary markers or specific warnings to ignore instructions embedded in the external content.
  • Sanitization: No sanitization or validation of the ingested text is performed before it is processed by the agent.
  • [REMOTE_CODE_EXECUTION]: The skill explicitly directs the agent to download and execute code from untrusted sources (Category 4). In the 'Review Dimensions' section of SKILL.md, the agent is told to gh pr checkout the PR branch and 'Run the tests locally to ensure they actually pass.' This constitutes the execution of unverified remote code.
  • [COMMAND_EXECUTION]: The skill relies on shell commands and a bundled bash script (scripts/approve_or_merge_pr.sh) to perform its primary functions. The arguments for these commands, such as the PR number, are derived from external input. While the script uses proper quoting, the instructions in SKILL.md rely on the agent's underlying shell environment to safely interpolate these variables.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 27, 2026, 11:38 AM