review-team
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted code and interpolates it into sub-agent prompts.
- Ingestion points: Code is read using commands like git diff as specified in references/scope-discovery.md and references/preflight-risk-model.md.
- Boundary markers: The references/subagent-template.md prompt does not define clear delimiters (e.g., XML tags) to isolate the code under review, nor does it include explicit instructions to ignore directives embedded within the code snippets.
- Capability inventory: The skill manages sub-agents that return structured JSON findings, which are then merged into an actionable report by the manager agent.
- Sanitization: There is no mention of sanitization or escaping of the code content before it is processed by the agents.
- [COMMAND_EXECUTION]: The skill's workflow suggests running shell commands with parameters derived from the context.
- Evidence: In references/intent-discovery.md and references/scope-discovery.md, commands like git log --oneline --decorate and git show --stat --summary are suggested. If the or variables are derived from untrusted input and not sanitized, it could lead to command injection.
Audit Metadata