double-check
Warn
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill reads sensitive authentication tokens from a specific local path at '$HOME/projects/fellowship-dev/claude-buddy/.env'. These tokens (GH_TOKEN_FELLOWSHIP and QUEST_TOKEN) are used to authenticate GitHub CLI operations and post data to a local event API.
- [REMOTE_CODE_EXECUTION]: The workflow clones external repositories based on user-provided arguments and executes their test suites (e.g., 'npm test', 'pytest'). A malicious repository can define arbitrary commands in its test scripts that execute with the agent's privileges during the review process.
- [PROMPT_INJECTION]: The skill ingests untrusted data from Pull Request titles, bodies, and comments using 'gh pr view'. This content is used for classification and curation, creating an indirect prompt injection surface where embedded instructions could subvert the agent's logic.
- Ingestion points: PR metadata and review comments retrieved via GitHub CLI in SKILL.md (Steps 1 and 3).
- Boundary markers: None present; untrusted PR content is processed directly.
- Capability inventory: Shell execution (git, npm, pytest, curl, gh), file system writes (local repository cloning, report generation), and network access.
- Sanitization: No sanitization or escaping of PR content is performed before processing.
- [COMMAND_EXECUTION]: The skill relies heavily on the 'Bash' tool to execute git operations, package manager commands, and system utilities like grep and cut.
- [EXTERNAL_DOWNLOADS]: The skill clones remote code from GitHub repositories specified in the tool's arguments, which is a necessary but risky part of the PR review functionality.
Audit Metadata