Skills
skills/e0ipso/self-review/self-review-apply/Gen Agent Trust Hub

self-review-apply

Pass

Audited by Gen Agent Trust Hub on Apr 20, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes git diff using arguments (git-diff-args) and a working directory (repository) sourced directly from attributes in the input XML file. This allows the data source to influence shell command parameters.
  • [DATA_EXFILTRATION]: The skill reads repository contents via git diff and accesses files from paths provided in the XML (source-path, path). This data, which can include sensitive source code, is loaded into the agent's context and shared with subagents.
  • [EXTERNAL_DOWNLOADS]: The skill reads image files from paths specified in the XML's <attachment> tags to provide visual context to the agent.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the review.xml file. It is instructed to 'understand' and 'implement' feedback provided in natural language within the XML's <body> and category elements using its 'judgment'.
  • Ingestion points: Reads and processes review.xml (or a path provided in arguments) and associated image attachments.
  • Boundary markers: Absent; the agent is directed to treat the XML content as direct instructions for code changes.
  • Capability inventory: Shell command execution (xmllint, git diff), file reading, file modification (code replacement), and subagent task creation (TaskCreate).
  • Sanitization: No explicit sanitization or validation of the XML attributes or body content is performed before they are used to control tool parameters or code edits.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 20, 2026, 04:15 PM