Skills
skills/holon-run/holon/github-review/Gen Agent Trust Hub

github-review

Pass

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from GitHub pull requests.
  • Ingestion points: The skill uses gh pr view, gh pr diff, and gh api to collect PR metadata, file contents, diff hunks, and user comments (defined in SKILL.md).
  • Boundary markers: There are no explicit instructions or delimiters (like XML tags or markdown blocks with warnings) defined in the skill to prevent the agent from obeying instructions embedded within the PR content.
  • Capability inventory: The skill has the capability to publish data back to GitHub via gh api ... -X POST (defined in the Workflow section of SKILL.md).
  • Sanitization: No sanitization or filtering of the ingested PR data is specified before it is processed by the agent.
  • [COMMAND_EXECUTION]: The skill executes shell commands using the gh CLI to interact with the GitHub API. These commands are necessary for the skill's primary purpose but involve network operations and writing data (publishing reviews) to a remote platform.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 30, 2026, 12:55 PM
Security Audit — agent-trust-hub — github-review