requesting-code-review
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses local shell commands to perform git operations. Evidence in
SKILL.mdincludes the use ofgit rev-parseto determine commit SHAs. Evidence incode-reviewer.mdincludes a shell block executinggit diff --stat {BASE_SHA}..{HEAD_SHA}andgit diff {BASE_SHA}..{HEAD_SHA}. - [PROMPT_INJECTION]: The subagent template is susceptible to indirect prompt injection.
- Ingestion points: The placeholders
{DESCRIPTION},{PLAN_REFERENCE},{BASE_SHA}, and{HEAD_SHA}incode-reviewer.mdingest external data. - Boundary markers: No boundary markers (e.g., delimiters like XML tags) or 'ignore' instructions are used around interpolated placeholders.
- Capability inventory: The subagent executes
gitcommands and provides analysis. - Sanitization: No sanitization or validation of the input placeholders is evident in the skill files.
- [COMMAND_EXECUTION]: Potential for shell command injection through template placeholders. The placeholders
{BASE_SHA}and{HEAD_SHA}are interpolated directly into shell commands withincode-reviewer.md. If these variables are populated with malicious shell metacharacters (e.g.,;,|,&&), they could be used to execute arbitrary commands beyond the intendedgit diff.
Audit Metadata