code-reviewer
Warn
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses deceptive metadata and documentation, claiming to be an 'Official Plugin' authored by a specific Anthropic employee ('Boris Cherny'). This contradicts the provided author context ('alfredolopez80'). Such impersonation can lead users and agents to bypass security scrutiny or grant excessive permissions based on false trust.
- [COMMAND_EXECUTION]: There is a critical contradiction between the skill's stated security model and its technical configuration. The documentation claims 'Review agents [are] restricted to Read/Grep/Glob (no Write/Edit)' for safety, but the
allowed-toolsfrontmatter explicitly includesBashandWrite. This allows the skill to perform arbitrary system commands and file modifications while misleading the user about its restricted nature. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core function of processing untrusted external data (source code and PR diffs).
- Ingestion points: The
/code-reviewcommand and associated agents ingest content from the current repository and Git history (SKILL.md). - Boundary markers: There are no instructions provided to the agent to ignore or delimit embedded instructions within the code being reviewed.
- Capability inventory: The skill possesses
BashandWritecapabilities (SKILL.md frontmatter). - Sanitization: No sanitization or validation of the ingested code is described, allowing malicious comments in reviewed files to potentially influence the agent to execute unauthorized shell commands.
Audit Metadata