Skills
skills/onehorizonai/paladin/paladin-pr-review/Gen Agent Trust Hub

paladin-pr-review

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes standard git commands to retrieve the codebase state for analysis.
  • Ingestion points: The agent runs git diff, git diff --cached, and git diff --stat to populate its context with code changes.
  • Capability inventory: These commands allow the agent to read file content and metadata within the repository scope.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the PALADIN.md file, which is likely part of the untrusted repository being reviewed.
  • Ingestion points: Instructions and configurations are read from PALADIN.md (e.g., paladin_source_list, paladin_conversion, paladin_custom_action).
  • Boundary markers: None detected. The skill directly follows logic parsed from this external file.
  • Capability inventory: The configuration in PALADIN.md can trigger task creation in external systems or change the source list for security advisories.
  • Sanitization: None detected. The skill trusts the contents of the configuration file to guide its execution workflow.
  • [DATA_EXFILTRATION]: The skill includes functionality to export review findings to external services based on untrusted configuration.
  • Evidence: The paladin_action_destination field in PALADIN.md can be set to email or custom. If a malicious PR author modifies this file, they could cause the agent to send sensitive security findings from the PR to an unauthorized external endpoint.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 10:25 AM
Security Audit — agent-trust-hub — paladin-pr-review