diff-review-doc
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill utilizes a bash script
scripts/get_diff.shto execute git commands. While intended for retrieving diffs, the use of shell scripts with parameters (like--branchor--commit) provides a vector for command injection if input is not strictly validated.\n- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) due to the way it processes external data:\n - Ingestion points: The agent reads untrusted data from git diff outputs and the contents of local source files (via Step 2: "Read relevant files").\n
- Boundary markers: No delimiters or instructions to ignore embedded commands are present in the workflow. The skill instructs the agent to "Accept the diff content as-is".\n
- Capability inventory: The agent has the ability to execute shell scripts (
scripts/get_diff.sh) and read arbitrary files from the repository to gain "context".\n - Sanitization: There is no evidence of sanitization or filtering to prevent the agent from obeying instructions hidden within code hunks, comments, or commit messages.\n
- Risk: An attacker could submit a pull request containing malicious prompt instructions. When the agent analyzes the changes, it may treat those instructions as authoritative, potentially leading to data exposure or further unauthorized command execution.
Recommendations
- AI detected serious security threats
Audit Metadata