code-review
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from git repositories, such as diffs and commit messages, which creates a surface for indirect prompt injection. \n
- Ingestion points: Data is ingested via git show, git log, and git diff commands in references/git_operations.md. \n
- Boundary markers: No specific delimiters or instructions to treat ingested data as untrusted are provided. \n
- Capability inventory: The skill utilizes shell commands (git, rg, fd). \n
- Sanitization: No explicit sanitization of repository content is mentioned.\n- [COMMAND_EXECUTION]: The skill's search patterns in references/impact_detection.md use parameters derived from the codebase (e.g., symbol names), which could lead to command injection if not properly escaped. Notably, the instructions include the -F flag for ripgrep in some instances, which mitigates certain injection risks by treating the input as a fixed string.\n- [CREDENTIALS_UNSAFE]: The change classification logic in references/change_analysis.md includes .env and other configuration files, which ensures the agent analyzes sensitive files that may contain secrets, potentially exposing them in the review output.
Audit Metadata