review-triage-phase
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection surface. The skill ingests data from external PR reviews and comments via
review-state.json, which is then interpreted by an AI agent (review-triager.md) to create a triage plan. - Ingestion points: The skill reads
review-state.json, which contains the text of GitHub PR review bodies and comments. - Boundary markers: The instructions for the triage agent do not include specific boundary markers or warnings to disregard instructions potentially embedded in the fetched comments.
- Capability inventory: The triage agent has access to
Bash,Write,Read, andWebFetchtools, providing a surface for following injected commands (e.g., interacting with theghCLI or filesystem). - Sanitization: While scripts like
validate-review-actions.mjsenforce JSON schema integrity, there is no natural language sanitization for the comment content processed by the LLM. - [COMMAND_EXECUTION]: Local script execution for state management. The skill defines and executes several internal Node.js scripts (
bootstrap-review-actions.mjs,render-review-actions.mjs, etc.) to generate artifacts and validate the triage state.
Audit Metadata