review-evals
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill incorporates user-provided
$ARGUMENTSinto a bash command line (python3 ... <workspace> --skill-name <name>) without explicit sanitization instructions. This can lead to arbitrary command injection if the input contains shell metacharacters like semicolons or backticks. - [DYNAMIC_EXECUTION]: The skill executes a Python script located at a computed path relative to the skill root (
${SKILL_ROOT}/../skill-shaper/scripts/generate_review.py). Executing code from a sibling directory outside the skill's own tree poses a risk if that external location is compromised or contains unexpected content. - [DATA_EXPOSURE]: The skill reads evaluation results from the local file system and opens them in a web browser. This process could lead to the unintended exposure of sensitive internal project details or environment logs to the browser context.
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted evaluation results from a workspace to generate its reports, creating a surface for indirect instructions to influence the agent.
- Ingestion points: Reads data from the user-specified
.skill-eval/workspace directory. - Boundary markers: None identified; raw data is passed directly to the script generator.
- Capability inventory: Uses Bash for command execution and Read for file system access.
- Sanitization: No validation or sanitization is performed on the ingested evaluation content or user-supplied paths.
Audit Metadata