review-security
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions describe a workflow that interpolates user-provided arguments directly into shell commands. In Phase 0,
<pr_number>and<commit_sha>are used ingh pr view <pr_number> --json files --jq '.files[].path'andgit diff-tree --no-commit-id --name-only -r <commit_sha>. Without explicit sanitization instructions, this pattern is vulnerable to command injection if a user provides arguments containing shell metacharacters (e.g.,;,&&, or backticks). - [REMOTE_CODE_EXECUTION]: The potential for command injection through the manipulation of command-line arguments allows for arbitrary code execution within the agent's environment.
- [DATA_EXPOSURE]: The skill's core functionality involves scanning entire codebases, PRs, and commits. This capability allows the agent to read and process any file in the repository, including sensitive configuration files (e.g.,
.env,credentials) if they are part of the scanned scope. - [INDIRECT_PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection due to its processing of external, untrusted content.
- Ingestion points: Files changed in PRs, commit messages, and repository source code (SKILL.md).
- Boundary markers: The instructions do not define clear delimiters or instruct the agent to ignore instructions embedded within the scanned code.
- Capability inventory: The skill utilizes powerful tools including
gh(GitHub CLI),git, andgrep, and has the ability to read files across the project. - Sanitization: There is no evidence of sanitization or filtering for instructions hidden in comments, documentation, or string literals within the code being audited.
Audit Metadata