autonomous-review
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection attack surface by ingesting and acting upon untrusted content from issue comments and pull request diffs. \n
- Ingestion points: The skill instructions in
SKILL.mddirect the agent to read issue comments (gh issue view) and PR diffs (gh pr diff). \n - Boundary markers: There are no explicit delimiters or protective instructions provided to the agent to distinguish untrusted data from the core logic. \n
- Capability inventory: The agent is authorized to merge code, modify issue checkboxes, and perform browser automation using the Chrome DevTools MCP. \n
- Sanitization: No sanitization or validation of the ingested external text is specified. \n- [COMMAND_EXECUTION]: The skill makes extensive use of system shell commands, specifically
gitandgh(GitHub CLI), to perform branch rebasing, code pushing, and PR management. \n- [COMMAND_EXECUTION]: The skill uses dynamic context injection via hooks in the YAML frontmatter to execute local shell scripts (block-push-to-main.shandverify-completion.sh) during the skill loading and stopping phases. \n- [EXTERNAL_DOWNLOADS]: The E2E verification procedure involves navigating to external web environments (PR previews) using browser automation tools.
Audit Metadata