security-review
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its core function of analyzing untrusted code from pull requests.
- Ingestion points: Source code content is ingested via
git diffandfindcommands as defined in Step 2 and Step 3 of SKILL.md. - Boundary markers: The skill lacks instructions to wrap ingested code in delimiters or provide clear negative constraints to ignore instructions embedded in code comments.
- Capability inventory: The skill has the ability to execute shell commands (
git,npm,pip), write files to the repository (.factory/directory), and post comments to pull requests. - Sanitization: There is no mention of sanitizing or escaping the untrusted code content before it is processed by the AI model.
- [COMMAND_EXECUTION]: The skill utilizes multiple shell commands to determine analysis scope and perform dependency scanning, including
git,find,npm audit,pip-audit,govulncheck, andcargo audit. These are documented as part of the skill's intended auditing functionality.
Audit Metadata