Skills
skills/marsidev/skills/review-pr/Gen Agent Trust Hub

review-pr

Pass

Audited by Gen Agent Trust Hub on Apr 3, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill constructs and executes shell commands using variables like {number}, {owner}, and {repo} (e.g., gh pr view {number}). If these values are not strictly validated as integers or valid repository paths, they could be used for shell command injection.
  • [PROMPT_INJECTION]: As an indirect prompt injection surface, the skill ingests untrusted data from PR titles, descriptions, and code diffs. It lacks explicit boundary markers or instructions to the agent to disregard instructions embedded within the data being reviewed, which could allow an attacker to influence the agent's findings or behavior via a malicious PR.
  • Ingestion points: Reads PR metadata and diffs using gh pr view and gh pr diff (SKILL.md).
  • Boundary markers: None present; the agent is simply told to "Review every changed file".
  • Capability inventory: Subprocess execution (gh CLI), file reading (Read tool), and network access (GitHub API).
  • Sanitization: None detected; content is passed directly to the model for analysis.
  • [DATA_EXFILTRATION]: The skill reads local project context files (CLAUDE.md, AGENTS.md) and code diffs, then transmits analysis results to the GitHub API. While this is the intended functionality using a well-known service, it represents a flow of local information to an external endpoint.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 3, 2026, 09:17 PM
Security Audit — agent-trust-hub — review-pr