github-code-review

Fail

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill's setup script (SKILL.md, lines 24-34) programmatically extracts authentication tokens from sensitive local files including ~/.hermes/.env and ~/.git-credentials. Reading from ~/.git-credentials is particularly high-risk as it contains plain-text passwords or tokens for various Git remotes. While this is used to authenticate with the GitHub API, harvesting credentials from local storage is a dangerous pattern.
  • [COMMAND_EXECUTION]: The skill uses shell commands to pipe API responses from curl into python3 -c for dynamic data processing (SKILL.md, lines 145-155). Additionally, the end-to-end workflow (SKILL.md, lines 236-241) instructs the agent to run arbitrary test and linting commands (pytest, npm test, ruff check) based on the repository's ecosystem. If the repository contains malicious configuration files (e.g., a toxic pyproject.toml or package.json), this can lead to arbitrary code execution on the user's machine.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from external sources.
  • Ingestion points: The skill fetches PR descriptions, titles, and file contents from the GitHub API and local git diff output (SKILL.md, lines 142, 172, 230).
  • Boundary markers: None. The agent is instructed to read the PR body and code changes without any delimiters or instructions to ignore embedded commands.
  • Capability inventory: The skill possesses the ability to write to the GitHub API, including posting comments, requesting changes, and submitting formal reviews (SKILL.md, lines 182, 215, 245).
  • Sanitization: No sanitization or validation of the ingested PR data is performed before the agent processes it.
  • Risk: A malicious pull request could include instructions (e.g., in the PR body or code comments) designed to trick the agent into approving a malicious change or leaking environment variables back to the PR as a comment.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 16, 2026, 01:45 PM
Security Audit — agent-trust-hub — github-code-review