cto-review
Warn
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill uses shell commands like
grepandcutto extract sensitive authentication tokens (includingGH_TOKEN,GH_PAT_FELLOWSHIP,PYLOT_DISPATCH_TOKEN, andQUEST_TOKEN) from a local.envfile located at$HOME/projects/fellowship-dev/claude-buddy/.env. - [COMMAND_EXECUTION]: The skill relies extensively on shell command execution to perform its logic, including complex piping and the use of the GitHub CLI (
gh) for administrative repository operations such as labeling and merging Pull Requests. It also usespython3 -cfor dynamic YAML parsing and JSON generation. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from Pull Request titles, descriptions, and code diffs to drive its automated decision-making process (e.g., determining the review verdict).
- Ingestion points: PR metadata and diffs are fetched in
SKILL.mdusinggh pr viewandgh pr diff. - Boundary markers: No delimiters or instructions are used to separate untrusted PR content from the agent's internal reasoning or to warn the agent to ignore embedded instructions.
- Capability inventory: Across its scripts, the skill possesses the capability to merge PRs, edit labels, post comments, and send data to local APIs via
curl. - Sanitization: The skill does not perform any sanitization or validation of the external PR data before interpreting it for the checklist and verdict decision.
Audit Metadata