unified-review
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: In the 'Integrate Findings' section of
SKILL.md, the skill instructs the agent to automatically execute a bash command:python3 scripts/deferred_capture.py --title "<finding title>" --source review --context "Review dimension: <dimension>. <finding description>". The variables<finding title>and<finding description>are populated with content extracted from the files being reviewed. Without sanitization, shell metacharacters (e.g.,;,&,`) within these findings could lead to arbitrary command injection on the host system. - [PROMPT_INJECTION]: The skill possesses a significant indirect prompt injection surface (Category 8) due to its core function of processing untrusted code and documentation from external repositories. \n
- Ingestion points: Source code, configuration files (e.g.,
Cargo.toml,openapi.yaml), and documentation (e.g., ADRs) from the repository under review, as described inSKILL.md. \n - Boundary markers: Absent. The instructions do not specify any delimiters or safety markers to differentiate between system instructions and data from the untrusted files. \n
- Capability inventory: The skill uses powerful tools including
skill-selector,context-analyzer, andreport-integrator, and it executes local shell commands. \n - Sanitization: Absent. There is no logic provided to sanitize or escape the untrusted repository content before it is used in report generation or shell execution.
Audit Metadata