pr-review
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's workflow involves executing shell commands like
git diffandgh pr diff. It interpolates user-supplied data (such as pull request numbers or file paths) directly into these commands. If the agent fails to validate these inputs, it could lead to command injection (e.g., a user providing a string like '1; rm -rf /' as a PR number). - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted content from code diffs and external configuration files like
CLAUDE.mdwithout adequate safeguards. - Ingestion points: Untrusted data enters the agent context via the output of
git diff,gh pr diff, and the contents ofCLAUDE.md(specified in Phase 1 and 2 of the workflow). - Boundary markers: The instructions lack explicit delimiters or "ignore previous instruction" markers to separate the content being reviewed from the review methodologies.
- Capability inventory: The agent has the capability to execute shell commands (
git,gh) and read local files. - Sanitization: There is no evidence of input validation, escaping, or sanitization of the diff content or file paths before they are processed by the agent.
Audit Metadata