review-changes
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Utilizes CLI tools including
git,gh(GitHub CLI), andacli(Atlassian CLI) to interact with local repositories, remote GitHub pull requests, and Jira work items.- [PROMPT_INJECTION]: Presents an attack surface for indirect prompt injection through the ingestion of untrusted external data. - Ingestion points: Processes data from git diffs, GitHub PR metadata, PR comments, Jira ticket descriptions, and local documentation files (e.g.,
CLAUDE.md,ARCHITECTURE.md). - Boundary markers: Lacks explicit delimiters or specific instructions to the AI to ignore instructions embedded within the processed data.
- Capability inventory: The skill includes capabilities to modify the local file system (performing automated fixes) and communicate externally via the GitHub API (posting PR comments).
- Sanitization: No evidence of sanitization, validation, or escaping of external content is present before the data is interpreted by the review agents.
Audit Metadata