quality-gate
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses user-supplied arguments to construct shell commands for Git and the GitHub CLI.
- Evidence: In
SKILL.md, the arguments provided via$ARGUMENTSare interpolated into shell execution patterns such asgh pr diff <PR_NUMBER> --name-onlyandgit diff <default_branch>...HEAD. If the agent does not strictly validate or sanitize these arguments before execution, an attacker could use shell metacharacters (e.g.,;,&&,|) to execute arbitrary commands on the host system. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads untrusted data from external sources and incorporates it into a prompt for another agent.
- Ingestion points: The skill reads file diffs via
git diffand PR metadata (titles and descriptions) viagh pr viewandgh pr diff. - Boundary markers: There are no explicit boundary markers or instructions to the downstream agent to ignore instructions embedded within the reviewed code or PR metadata.
- Capability inventory: The skill uses
Bashand theTasktool (invokingmajestic-engineer:workflow:quality-gate). - Sanitization: The skill does not implement sanitization or filtering for the content fetched from the repository or GitHub API before passing it to the secondary agent. A malicious user could craft a Pull Request title or code comment designed to hijack the review agent's logic.
Audit Metadata