Skills
skills/sap/fundamental-ngx/review-pr/Gen Agent Trust Hub

review-pr

Warn

Audited by Gen Agent Trust Hub on Apr 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill employs dynamic context injection to execute shell commands automatically when the skill is loaded. It directly interpolates the user-supplied pull request identifier ($0) into these commands without validation or escaping. A malicious user could provide a crafted input (e.g., 123; dangerous_command) to execute arbitrary code on the host system.
  • Evidence:
  • !gh pr diff $0 in SKILL.md
  • !gh pr view $0 in SKILL.md
  • !gh pr diff $0 --name-only in SKILL.md
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from external pull requests and processes it within the agent's context without adequate isolation or sanitization.
  • Ingestion points: Pull request diffs and metadata are fetched using gh pr diff and gh pr view (SKILL.md).
  • Boundary markers: The skill does not use delimiters (like XML tags or triple quotes) or specific instructions to the agent to ignore any natural language instructions found within the PR data.
  • Capability inventory: The agent has access to powerful tools including Read, Grep, Glob, and shell execution via Bash(gh *) and Bash(nx *).
  • Sanitization: No sanitization or validation is performed on the data returned from the GitHub CLI before it is presented to the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 5, 2026, 12:53 PM