review-swarm
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by ingesting and processing content from the current workspace that may be controlled by an external actor (e.g., in a pull request review context). \n
- Ingestion points: The skill reads
git diffoutput and local files such asAGENTS.md, repository workflow documents, and architecture/contract documentation. \n - Boundary markers: The instructions lack explicit directives to use delimiters or "ignore instructions" markers when interpolating the ingested content into the prompts for the sub-agent reviewers. \n
- Capability inventory: The agent utilizes file reading and
gitcommands. Crucially, the skill includes explicit instructions that all sub-agents must remain read-only and are prohibited from performing file edits (apply_patch), staging changes, or other workspace mutations. \n - Sanitization: No evidence of input sanitization or escaping of the ingested data was found in the instructions.
Audit Metadata