Skills
skills/sungjunlee/dev-relay/relay-review/Gen Agent Trust Hub

relay-review

Pass

Audited by Gen Agent Trust Hub on May 3, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the gh and git CLI tools to manage pull requests, fetch diffs, and interact with repository metadata. These operations are performed via Node.js execFileSync with appropriately scoped arguments and are core to the skill's intended purpose.
  • [EXTERNAL_DOWNLOADS]: Pull request diffs, issue descriptions, and PR body content are fetched from GitHub via the gh CLI (a well-known service). This data is processed as the primary input for the code review.
  • [PROMPT_INJECTION]: The skill identifies a potential indirect prompt injection surface and implements specific defenses:
  • Ingestion points: Untrusted data enters the agent context via gh pr diff, gh issue view, and gh pr view output (referenced in scripts/review-runner/context.js and scripts/review-runner.js).
  • Boundary markers: The references/reviewer-prompt.md file defines a strict 'Content boundary rule' using <task-content> tags to delimit external data.
  • Capability inventory: The skill possesses capabilities for command execution (gh, git), local file system writes (~/.relay/runs/), and network operations via the GitHub API.
  • Sanitization: The model is explicitly instructed to disregard any instructions or directives (e.g., 'ignore previous instructions') found within the boundary-marked data segments.
  • [SAFE]: A security monitor in scripts/review-runner/reviewer-invoke.js performs a runtime check for unexpected file system modifications after a reviewer round completes. If changes are detected, it flags a policy violation and escalates the manifest, providing a safeguard against unauthorized code changes by the AI model.
Audit Metadata
Risk Level
SAFE
Analyzed
May 3, 2026, 11:33 PM