review-pr
Pass
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted content from GitHub PRs, which constitutes an indirect prompt injection surface. An attacker could include malicious instructions in a PR's body or code diff to influence the agent's review verdict or reporting logic.
- Ingestion points: Reads PR body, title, and file diffs using
gh pr viewandgh pr diffinSKILL.md. - Boundary markers: No explicit delimiters or instructions are used to distinguish untrusted PR data from the agent's core instructions.
- Capability inventory: The skill has the ability to post comments and manage labels on GitHub repositories using the
ghtool. - Sanitization: No sanitization or validation of the external PR content is performed before it is processed by the agent.
- [CREDENTIALS_UNSAFE]: The skill script reads a sensitive
.envfile to extract aQUEST_TOKEN. While this appears to be part of the vendor's internal reporting workflow, accessing credentials from local files is a sensitive operation. - Evidence:
QUEST_TOKEN=$(grep '^QUEST_TOKEN=' $HOME/projects/fellowship-dev/claude-buddy/.env | cut -d= -f2)inSKILL.md.
Audit Metadata