second-opinion
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes local CLI tools including
git,codex-cli, andgeminito compute code diffs and perform analysis. It uses specific command templates designed to restrict the tools' operations, such as enforcing read-only environments and preventing unintended repository modifications.\n- [DATA_EXFILTRATION]: This skill transmits source code and repository diffs to external services (OpenAI Codex and Google Gemini) to facilitate code reviews. This transmission is the core purpose of the skill and is explicitly disclosed in its description, with instructions to verify repository policies before execution.\n- [PROMPT_INJECTION]: The skill is subject to indirect prompt injection because it processes untrusted content from git diffs and repository files which is then interpreted by an external LLM.\n - Ingestion points: Untrusted data enters the agent context via
git diffoutput, untracked files, and repository instruction files likeAGENTS.mdandCLAUDE.mdas specified inreferences/workflow.md.\n - Boundary markers: The skill utilizes a structured 'Review brief' to encapsulate code changes, providing clear labels and constraints (e.g., 'Do not modify files') to the external reviewer.\n
- Capability inventory: The skill can execute shell commands for diff generation and call external review CLIs that interact with remote APIs.\n
- Sanitization: To mitigate potential command or prompt injection, the skill prefers using prompt files or stdin for complex inputs rather than raw shell interpolation.
Audit Metadata