staged-review-validator
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to dynamically construct and execute shell commands (e.g.,
rg -n "关键符号" <path>,sed -n '<start>,<end>p' <path>,git show HEAD:<path>) using values parsed directly from user-provided review reports. The absence of input sanitization or validation for these parameters allows for potential command injection attacks if a malicious report contains shell metacharacters in paths or keywords. - [PROMPT_INJECTION]: The skill's primary function involves parsing and acting upon a user-supplied
staged-changes-reviewreport, which serves as a significant ingestion point for indirect prompt injection. A malicious actor could embed instructions within the report to manipulate the agent's logic, bypass checks, or influence the final verdict. Evidence Chain: Ingestion point found in user-provided report text; Boundary markers (delimiters) are not implemented; Capability inventory includes file-system reading and local command execution; Sanitization of the input report is not defined. - [DATA_EXFILTRATION]: Because the tool is empowered to read file contents and git history based on user-defined paths, it could be leveraged to expose sensitive files (e.g.,
.env, credentials, or private keys) if the attacker-controlled report provides these paths to the validation engine.
Audit Metadata