document-review
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes untrusted document content which is then passed to multiple LLM-based reviewer personas. A malicious document could contain instructions designed to manipulate these personas into generating specific findings or malicious "auto-fixes".
- Ingestion points: Document content is read from user-specified paths or searched via glob and then interpolated into the
{document_content}variable in the sub-agent template (references/subagent-template.md). - Boundary markers: The sub-agent prompt uses XML-style tags like
<review-context>and<persona>to provide structure, but these do not fully prevent instruction injection from the untrusted document content. - Capability inventory: The main orchestrator has access to an
edittool to modify files, while sub-agents can usefile reads,glob,grep, andgit logto inspect the codebase. - Sanitization: The skill does not implement explicit sanitization or escaping of the ingested document content before it is used in sub-agent prompts.
- [COMMAND_EXECUTION]: The skill's orchestrator uses an
edittool to automatically apply "auto-fixes" to the document being reviewed. In "headless mode", these edits are performed silently without a human-in-the-loop review step. This automation, combined with the risk of indirect prompt injection, could allow a malicious document to trigger unintended or harmful modifications to project files.
Audit Metadata