github-code-review
Fail
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill's setup script (SKILL.md, lines 24-34) programmatically extracts authentication tokens from sensitive local files including
~/.hermes/.envand~/.git-credentials. Reading from~/.git-credentialsis particularly high-risk as it contains plain-text passwords or tokens for various Git remotes. While this is used to authenticate with the GitHub API, harvesting credentials from local storage is a dangerous pattern. - [COMMAND_EXECUTION]: The skill uses shell commands to pipe API responses from
curlintopython3 -cfor dynamic data processing (SKILL.md, lines 145-155). Additionally, the end-to-end workflow (SKILL.md, lines 236-241) instructs the agent to run arbitrary test and linting commands (pytest,npm test,ruff check) based on the repository's ecosystem. If the repository contains malicious configuration files (e.g., a toxicpyproject.tomlorpackage.json), this can lead to arbitrary code execution on the user's machine. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from external sources.
- Ingestion points: The skill fetches PR descriptions, titles, and file contents from the GitHub API and local
git diffoutput (SKILL.md, lines 142, 172, 230). - Boundary markers: None. The agent is instructed to read the PR body and code changes without any delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill possesses the ability to write to the GitHub API, including posting comments, requesting changes, and submitting formal reviews (SKILL.md, lines 182, 215, 245).
- Sanitization: No sanitization or validation of the ingested PR data is performed before the agent processes it.
- Risk: A malicious pull request could include instructions (e.g., in the PR body or code comments) designed to trick the agent into approving a malicious change or leaking environment variables back to the PR as a comment.
Recommendations
- AI detected serious security threats
Audit Metadata