code-review
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
run.pyscript usessubprocess.run(shell=True)to execute git commands where thebaseandpathsarguments are directly interpolated into the command string without sanitization. An attacker could use shell metacharacters in these fields to execute arbitrary commands.\n- [PROMPT_INJECTION]: The skill ingests untrusted code and git metadata which are then used to build a prompt for the LLM, creating a surface for indirect prompt injection.\n - Ingestion points: Git diffs, log messages, and file contents are collected in
run.py.\n - Boundary markers: No boundary markers or sanitization logic is present to isolate untrusted data from the review instructions.\n
- Capability inventory: The script has the ability to execute shell commands and read files on the local system.\n
- Sanitization: No sanitization or escaping is performed on the gathered repository data before it is included in the prompt.
Recommendations
- AI detected serious security threats
Audit Metadata