plan-local-code-review
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection through the ingestion of untrusted local repository data.
- Ingestion points:
SKILL.mddefines workflows that ingest commit messages (Step 3:git log), code diffs (Step 4b:git diff), project guidance (Step 2/4a:CLAUDE.md), and code comments (Step 4e). An attacker could place malicious instructions in any of these locations to influence the agent's review logic or scoring. - Boundary markers: Absent. The skill does not provide clear delimiters (e.g., XML tags or backticks) to separate its instructions from the data being reviewed, nor does it explicitly warn sub-agents to ignore instructions contained within the analyzed content.
- Capability inventory: The skill uses subprocess calls to execute
gitcommands (Steps 1, 3, 4) and writes to the local file system (claude-review.mdin Step 7). - Sanitization: Absent. The content of commit messages and files is passed directly to Sonnet and Haiku agents for analysis without filtering or validation.
Audit Metadata