github-code-review
Fail
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The file
references/reference.mdcontains a Node.js webhook handler example (webhook-handler.js) that usesexecSyncto run shell commands. It incorporates theevent.comment.bodydirectly into the command string without any sanitization or validation. This allows a malicious user to execute arbitrary commands by crafting a pull request comment (e.g., using shell metacharacters like;,|, or`). - [EXTERNAL_DOWNLOADS]: The skill depends on
npx ruv-swarmto perform its core functions. This pattern downloads and executes code from the npm registry at runtime. While these appear to be associated with the skill's authoring organization (ruvnet), they are third-party dependencies executed without version pinning or hash verification in the provided examples. - [REMOTE_CODE_EXECUTION]: The skill facilitates remote code execution via two vectors: the command injection vulnerability in the webhook example and the
register-agentfeature, which dynamically loads and executes local JavaScript files as custom agents. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from GitHub pull requests.
- Ingestion points: Pull request diffs, titles, bodies, and comments are fetched via
gh pr viewandgh pr diffand passed to AI agents. - Boundary markers: No delimiters or safety instructions are used in the prompt construction examples to distinguish between system instructions and PR content.
- Capability inventory: The agents have the capability to merge PRs, request changes, and execute shell commands through the swarm orchestration tool.
- Sanitization: The skill lacks input validation or sanitization for external content before it is processed by the agents.
Recommendations
- AI detected serious security threats
Audit Metadata