review-code
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool for operational management, specifically creating scratchpad directories for reports in SKILL.md and removing temporary state files in phases/state-manager.md. These commands are constrained to the skill's specific working directory.
- [DATA_EXFILTRATION]: The skill reads local file contents using the Read tool in phases/actions/action-collect-context.md and phases/actions/action-deep-review.md to facilitate code analysis. This represents a data exposure surface where the agent accesses local source code files based on user-provided paths.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the analysis of untrusted source code. \n
- Ingestion points: Source code content is ingested from the filesystem in phases/actions/action-quick-scan.md and phases/actions/action-deep-review.md. \n
- Boundary markers: The Task prompt in phases/orchestrator.md interpolates the full state JSON (including code findings) but lacks explicit delimiters or instructions to ignore commands embedded within the code snippets. \n
- Capability inventory: The skill has access to Bash, Write, Read, and Task tools, providing a wide range of actions a successful injection could trigger. \n
- Sanitization: There is no evidence of sanitization or escaping of the code snippets before they are included in the sub-agent's prompt context.
Audit Metadata