Skills
skills/vimkim/my-cubrid-skills/cubrid-pr-review/Gen Agent Trust Hub

cubrid-pr-review

Pass

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it is instructed to read and process untrusted data from GitHub PR descriptions, comments, and files within the repository (such as CLAUDE.md and AGENTS.md) without sufficient boundary markers or sanitization.\n
  • Ingestion points: The agent reads PR metadata (gh api), the PR diff (gh pr diff), and comments (gh api ... pulls/NUMBER/comments) from the GitHub API. It also reads files from the repository being reviewed using the Read tool.\n
  • Boundary markers: Absent. The instructions do not define delimiters or provide system-level warnings to distinguish between the agent's instructions and the untrusted data being analyzed. This could allow an attacker to embed malicious instructions in a PR comment to influence the review report or agent behavior.\n
  • Capability inventory: The skill has permissions for Bash execution (including gh, git, and curl), file system access via Read and Write, and LSP diagnostic tools.\n
  • Sanitization: No sanitization or validation is performed on the content retrieved from external GitHub resources before processing.\n- [COMMAND_EXECUTION]: The helper script scripts/check-prereqs.sh uses a brittle pattern for constructing jq filters by interpolating shell variables directly into the filter string.\n
  • Evidence: jq '{ owner: "'"$OWNER"'", ... }' in scripts/check-prereqs.sh.\n
  • Risk: While GitHub's constraints on owner and repository names (restricting characters like double quotes) currently mitigate the risk of successful filter injection, this pattern is generally unsafe. Using jq --arg to pass variables is the recommended secure practice to prevent logical subversion of the JSON processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 16, 2026, 02:18 AM