Skills
skills/dokhacgiakhoa/antigravity-ide/code-review-ai-ai-review/Gen Agent Trust Hub

code-review-ai-ai-review

Fail

Audited by Gen Agent Trust Hub on Feb 14, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection because it ingests untrusted pull request data.
  • Ingestion points: The pr_description and code_diff variables are directly interpolated into LLM prompts in sub-skills/ai-assisted-review.md and the orchestrator script in sub-skills/github-actions.md.
  • Boundary markers: No delimiters or isolation techniques (like XML tags or multi-shot prompting) are used to separate user data from instructions.
  • Capability inventory: The system can execute commands via subprocess, fail the build process, and post external comments via the GitHub API.
  • Sanitization: No input validation or escaping is performed on the untrusted diffs or descriptions.
  • CREDENTIALS_UNSAFE (HIGH): The orchestrator script in sub-skills/github-actions.md handles GITHUB_TOKEN, OPENAI_API_KEY, and ANTHROPIC_API_KEY. An attacker using Indirect Prompt Injection could trick the LLM into disclosing these environment variables in its output, leading to credential exfiltration via GitHub comments.
  • COMMAND_EXECUTION (MEDIUM): The skill uses subprocess.run and subprocess.check_output to execute static analysis tools like SonarQube and Semgrep. While currently using hardcoded parameters, this pattern increases the attack surface in an environment handling untrusted code.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 14, 2026, 02:47 PM