tasks-code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8). Evidence Chain: 1. Ingestion points: The skill ingests untrusted data via git diff, git log, and the Read tool on changed files. 2. Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the workflow. 3. Capability inventory: The skill has Write, Edit, and Bash tools, allowing for file modification and command execution. 4. Sanitization: There is no evidence of sanitization or filtering of the ingested code content. An adversary could craft a pull request containing instructions that override the agent's logic to perform unauthorized actions.
- COMMAND_EXECUTION (MEDIUM): The skill uses the Bash tool to execute git commands. While the intended use is restricted to repository metadata, the availability of a shell environment to an autonomous agent processing untrusted input creates a significant attack surface for command manipulation or escape.
Recommendations
- AI detected serious security threats
Audit Metadata