cr
Warn
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs shell operations for managing git worktrees, cleanup, and automated commits using system tools like git and gh.
- [REMOTE_CODE_EXECUTION]: The skill automatically detects and executes build and test commands from the target repository's configuration in references/teams-review.md. This creates a significant risk of arbitrary code execution if the repository or a pull request contains malicious build scripts or test configurations.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from external sources without explicit boundary markers or sanitization.
- Ingestion points: Pull request bodies (PR_BODY), line-level comments (PR_COMMENTS), and the repository source files being reviewed.
- Boundary markers: Absent. The skill lacks explicit delimiters to isolate ingested data from the agent's instructions.
- Capability inventory: Execution of shell commands (git, gh), automated build/test runs, and GitHub API write access including approving and merging pull requests.
- Sanitization: Absent. There is no evidence of input validation or instruction filtering for ingested content.
Audit Metadata