autonomous-review

Pass

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection attack surface by ingesting and acting upon untrusted content from issue comments and pull request diffs. \n
  • Ingestion points: The skill instructions in SKILL.md direct the agent to read issue comments (gh issue view) and PR diffs (gh pr diff). \n
  • Boundary markers: There are no explicit delimiters or protective instructions provided to the agent to distinguish untrusted data from the core logic. \n
  • Capability inventory: The agent is authorized to merge code, modify issue checkboxes, and perform browser automation using the Chrome DevTools MCP. \n
  • Sanitization: No sanitization or validation of the ingested external text is specified. \n- [COMMAND_EXECUTION]: The skill makes extensive use of system shell commands, specifically git and gh (GitHub CLI), to perform branch rebasing, code pushing, and PR management. \n- [COMMAND_EXECUTION]: The skill uses dynamic context injection via hooks in the YAML frontmatter to execute local shell scripts (block-push-to-main.sh and verify-completion.sh) during the skill loading and stopping phases. \n- [EXTERNAL_DOWNLOADS]: The E2E verification procedure involves navigating to external web environments (PR previews) using browser automation tools.
Audit Metadata
Risk Level
SAFE
Analyzed
May 14, 2026, 07:03 PM
Security Audit — agent-trust-hub — autonomous-review