pr-code-review

Pass

Audited by Gen Agent Trust Hub on Jun 15, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to use git and gh (GitHub CLI) for fetching diffs, file contents, and pull request metadata. It also utilizes the GitHub GraphQL API to resolve review threads and post inline comments with verdicts. These operations are standard for development-focused skills and use official tooling.
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection (Category 8) because it processes untrusted content from pull requests and file changes.
  • Ingestion points: External data is ingested through git diff, the content of modified files, and pull request descriptions as specified in Step 1 of the workflow.
  • Boundary markers: The skill uses markdown headers (e.g., ## Diff, ## Changed File Contents) to delineate untrusted data but lacks explicit "ignore instructions" delimiters in its subagent prompt templates.
  • Capability inventory: The skill possesses write access to pull requests (submitting reviews, resolving threads) and read access to the local repository.
  • Sanitization: No sanitization or escaping of the ingested PR content is performed before it is interpolated into subagent prompts.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 15, 2026, 10:54 PM
Security Audit — agent-trust-hub — pr-code-review