engineer-review
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from code diffs and pull request descriptions without explicit boundary markers or sanitization logic in the sub-agent prompts.
- Ingestion points: Data enters the agent context through
gh pr diff,git diff, and theReadtool (used for project configuration and source files). - Boundary markers: The prompts defined for the parallel reviewers (Security, Performance, etc.) do not include delimiters or instructions to ignore embedded commands within the code being reviewed.
- Capability inventory: The agent has access to
Bash,Task(agent spawning), andWritetools, which could be exploited if an injection attack succeeds. - Sanitization: No evidence of input validation or escaping of the code content before it is passed to the sub-agent prompts.
- [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to execute system commands such asgh pr diffandgit diff. While these are necessary for the skill's functionality, they represent a standard command execution surface.
Audit Metadata