address-gemini-feedback
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a vulnerability to indirect prompt injection by processing untrusted data from external sources.
- Ingestion points: Review comments and thread data are ingested via the
./scripts/agents/tooling/agentTool.ts getReviewThreadscommand inSKILL.md. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to disregard malicious directives that might be embedded within the PR comment bodies.
- Capability inventory: The skill possesses significant capabilities, including executing shell commands, performing file system modifications, committing changes, and pushing directly to remote branches (
git push). - Sanitization: No sanitization or validation logic is present to filter the content of PR comments before they influence the agent's code generation or execution steps.
- [COMMAND_EXECUTION]: The skill relies on several shell commands and local scripts to perform its tasks.
- Evidence: It invokes a local vendor tool
./scripts/agents/tooling/agentTool.ts, along with standard utilities likegit,gh(GitHub CLI), andpnpm. While these are appropriate for the skill's primary function of repository management, they represent the capability set that could be exploited via indirect injection.
Audit Metadata