review-triage-phase

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: Indirect Prompt Injection surface. The skill ingests data from external PR reviews and comments via review-state.json, which is then interpreted by an AI agent (review-triager.md) to create a triage plan.
  • Ingestion points: The skill reads review-state.json, which contains the text of GitHub PR review bodies and comments.
  • Boundary markers: The instructions for the triage agent do not include specific boundary markers or warnings to disregard instructions potentially embedded in the fetched comments.
  • Capability inventory: The triage agent has access to Bash, Write, Read, and WebFetch tools, providing a surface for following injected commands (e.g., interacting with the gh CLI or filesystem).
  • Sanitization: While scripts like validate-review-actions.mjs enforce JSON schema integrity, there is no natural language sanitization for the comment content processed by the LLM.
  • [COMMAND_EXECUTION]: Local script execution for state management. The skill defines and executes several internal Node.js scripts (bootstrap-review-actions.mjs, render-review-actions.mjs, etc.) to generate artifacts and validate the triage state.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 05:56 AM
Security Audit — agent-trust-hub — review-triage-phase