review-chamber
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill possesses an attack surface for indirect prompt injection because it ingests untrusted data from external PRs to populate the knowledge palace.\n
- Ingestion points: PR discussion content and metadata are ingested during the capture phase (as described in SKILL.md and modules/capture-workflow.md).\n
- Boundary markers: There are no explicit markers or instructions to the agent to ignore embedded commands within the ingested PR content, increasing the risk of the agent obeying instructions hidden in review comments.\n
- Capability inventory: The skill executes local Python scripts (
scripts/palace_manager.py) and performs semantic searches based on the captured content, providing a mechanism for influenced data to trigger downstream actions.\n - Sanitization: There is no evidence of sanitization, escaping, or filtering of the PR content before it is stored or processed.
Audit Metadata