Skills
skills/exaby73/skills/gh-pr-review-posting/Gen Agent Trust Hub

gh-pr-review-posting

Pass

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes local bash scripts located in the scripts/ directory to interface with the GitHub CLI (gh) and jq. These scripts are used to construct review payloads, post reviews, and manage inline comments. Arguments such as repository names and PR numbers are passed to these scripts during the workflow.
  • [EXTERNAL_DOWNLOADS]: The skill makes network requests to the official GitHub API via the gh api command. This interaction is intended for legitimate pull request management and targets a well-known service.
  • [SAFE]: The implementation follows several best practices. It uses jq with the --arg flag to safely handle JSON construction, preventing injection in the payload. Additionally, the script for deleting comments uses grep to ensure only numeric IDs are processed, which mitigates potential shell injection through those specific inputs. The use of the /tmp directory for staging payloads provides transparency, allowing the user or agent to inspect data before execution.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 9, 2026, 11:43 AM