Skills
skills/rube-de/cc-skills/jules-review/Gen Agent Trust Hub

jules-review

Warn

Audited by Gen Agent Trust Hub on Apr 20, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Shell commands in SKILL.md and references/WORKFLOW.md interpolate variables derived from user input (<PR#>) and external tool output ($INVALID_PATH, $INVALID_LINE, $OWNER, $REPO) without proper quoting or sanitization. Specifically, the interpolation in jq filters in WORKFLOW.md and the use of unquoted placeholders in gh commands create a risk of command or argument injection if the data contains shell metacharacters.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from GitHub pull request bodies and diffs and passes it to an AI council for analysis without using boundary markers or sanitization.
  • Ingestion points: Pull request metadata and code diffs are fetched via gh pr view and gh pr diff in SKILL.md.
  • Boundary markers: No delimiters or isolation instructions are present to separate untrusted PR content from the agent's internal instructions.
  • Capability inventory: The agent has permissions to execute shell commands, post GitHub reviews and comments, and invoke additional tools.
  • Sanitization: No evidence of sanitization or content validation is present for the ingested PR data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 20, 2026, 05:28 AM