skill-reviser
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection in Stage 5, where it interpolates external data into the subagent's prompt.
- Ingestion points: Data is ingested from
specs/state.json,.claude/context/formats/plan-format.md, and user-provided input for therevision_reasonfield. - Boundary markers: The skill uses
<artifact-format-specification>tags to delimit the format instructions, but other fields are interpolated directly into a JSON structure without explicit escaping or boundary markers. - Capability inventory: The skill has access to
Bash(command execution),Task(subagent spawning),Edit, andWrite(file system modification). - Sanitization: There is no evidence of sanitization or validation of the strings before they are interpolated into the prompt sent to the
reviser-agent. - [COMMAND_EXECUTION]: The skill uses file paths provided by a subagent's metadata file as arguments in shell script executions.
- Evidence: In Stages 6a and 8, the skill reads
artifact_pathfrom.return-meta.json(a file written by the subagent) and passes it tovalidate-artifact.shandlink-artifact-todo.sh. - Risk: While the paths are used within double quotes in the provided bash snippets, this pattern creates a dependency on the subagent's integrity. If a subagent were compromised or the metadata file manipulated, it could be used to target sensitive files through these scripts.
Audit Metadata