requesting-code-review
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill executes local shell commands using
gitto retrieve commit information and code differences. - Evidence:
SKILL.mdcontains instructions to rungit merge-base,git rev-parse, andgit log.templates/code-reviewer.mdexecutesgit diffusing interpolated variables{BASE_SHA}and{HEAD_SHA}. - Risk: While these commands are limited to
git, they interact directly with the host shell. If the variables{BASE_SHA}or{HEAD_SHA}are sourced from untrusted user input without validation, they could potentially be used for command injection (e.g., passing; command). - [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. The skill processes untrusted data from the git repository and user-provided placeholders without adequate isolation.
- Ingestion points: The
templates/code-reviewer.mdfile ingests data via placeholders{WHAT_WAS_IMPLEMENTED},{PLAN_OR_REQUIREMENTS}, and{DESCRIPTION}, as well as the output ofgit diffcommands. - Boundary markers: No explicit delimiters (like XML tags or triple quotes with instructions to ignore content) are used to separate instructions from the data being reviewed.
- Capability inventory: The subagent has the capability to execute shell commands (
git) and provide technical assessments that influence the user's workflow. - Sanitization: No sanitization or escaping of the interpolated content is performed before passing it to the subagent.
- Risk: Malicious instructions hidden in code comments or PR descriptions could influence the subagent's review verdict or cause it to ignore specific security flaws during the review process.
Audit Metadata