lisa-review-implementation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill reads untrusted project files and manifest data to generate natural language recommendations for 'upstreaming' changes. This creates a significant surface for indirect prompt injection. Ingestion points: .lisa-manifest and project files (SKILL.md Step 2, 4). Boundary markers: Absent. Capability inventory: File writing to the Lisa directory and Bash execution for diffing (SKILL.md Step 4, 6). Sanitization: None.
- [Command Execution] (MEDIUM): The skill uses the Bash tool to execute
diffon paths determined at runtime. Without strict validation of the.lisa-manifestcontent, this could lead to path traversal or reading of sensitive files outside the intended project scope. - [File Write Access] (HIGH): Step 6 allows the agent to write files from an untrusted project into the Lisa installation directory. If the agent's decision-making is compromised via indirect injection, it could result in the templates themselves being backdoored.
Recommendations
- AI detected serious security threats
Audit Metadata