Skills
skills/notque/claude-code-toolkit/pr-review-address-feedback/Gen Agent Trust Hub

pr-review-address-feedback

Warn

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local Python script located at ~/.claude/scripts/feature-state.py during the Phase 5 (LEARN) stage. Because this script is located outside the skill package and its source is not provided, its behavior cannot be verified.
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It fetches untrusted data from three GitHub endpoints (/reviews, /comments, and /issues/{pr_number}/comments). A malicious actor could submit a PR comment containing instructions designed to hijack the agent's logic during the FETCH, VALIDATE, or EXECUTE phases.
  • [DATA_EXFILTRATION]: In the Phase 2 (VALIDATE) stage, the skill is instructed to use curl -sI [URL] to verify any URL mentioned by a reviewer. This creates a Server-Side Request Forgery (SSRF) risk, as an attacker can provide internal URLs (e.g., metadata services) to potentially leak information or probe internal network infrastructure.
  • [COMMAND_EXECUTION]: The skill uses the gh CLI to interact with the GitHub API. While this is a standard tool, the skill's instructions involve interpolating PR data into shell commands, which requires careful handling to prevent command injection if the PR metadata itself contains malicious payloads.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 29, 2026, 05:28 PM
Security Audit — agent-trust-hub — pr-review-address-feedback