Skills
skills/marxbiotech/pr-review-toolkit/pr-review-and-document/Gen Agent Trust Hub

pr-review-and-document

Warn

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes shell scripts to handle PR metadata and comments. A potential risk exists in Step 5, where AI-generated content (stored in the variable $REVIEW_CONTENT) is piped to a script using the command echo "$REVIEW_CONTENT". If the generated content contains shell metacharacters such as backticks or command substitution syntax, it could lead to unintended command execution in the environment.
  • [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes untrusted data from Pull Requests, including code changes and existing comments.
  • Ingestion points: The skill processes PR content via the pr-review-toolkit in Step 3 and reads existing PR comments in Step 2 to locate metadata blocks.
  • Boundary markers: No boundary markers or delimiters are defined in the instructions to isolate the untrusted PR data from the agent's instructions or the structural metadata.
  • Capability inventory: The agent can execute local bash scripts (e.g., get-pr-number.sh, cache-write-comment.sh) and access the GitHub API through the review toolkit.
  • Sanitization: There are no explicit instructions to sanitize or escape the output derived from PR data before it is utilized in shell pipelines. A malicious contributor could attempt to inject a fake <!-- pr-review-metadata --> block into a PR comment to manipulate the review state or metadata processed by the agent in Step 2.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 8, 2026, 09:41 AM