review
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFE
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external data in the form of pull request diffs, descriptions, and commit messages. While this presents an attack surface, the skill includes robust mitigation strategies:
- Ingestion points: Data enters via
gh pr view,gh pr diff, andgit logcommands. - Boundary markers: The instructions include an 'ABSOLUTE' security constraints section explicitly commanding the agent to ignore instructions embedded in code or PR contents.
- Capability inventory: The skill uses
Bashfor reading GitHub data andTaskfor orchestrating sub-agents, but expressly forbids building, installing, or executing code. - Sanitization: The agent is instructed to flag suspected prompt injection attempts and terminate the review process.
- [EXTERNAL_DOWNLOADS]: The skill interacts with GitHub, a well-known service, using official CLI tools (
gh) and standard version control (git). All network operations are directed at the Redpanda Connect repository, which is consistent with the skill's stated purpose and authored context. - [DATA_EXFILTRATION]: The skill implements a proactive 'deny-list' for sensitive file patterns including
.env,*secret*,*credential*,*token*, and private keys, preventing accidental or malicious exposure of credentials during the review process.
Audit Metadata