review
Pass
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on several local shell scripts (init-config.sh, find-artifact.sh, find-solution.sh, scope-drift.sh, save-artifact.sh, and suggest-security.sh) to handle configuration, search for previous context, and persist review results.
- [COMMAND_EXECUTION]: A PostToolUse hook is configured to execute the suggest-security.sh script automatically after Bash tool usage to check for modifications to security-sensitive files (e.g., .env, auth, payments).
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it incorporates external data into its reasoning process.
- Ingestion points: Changed code files (retrieved via git diff) and historical project artifacts (retrieved via find-artifact.sh and find-solution.sh) are read into the agent's context.
- Boundary markers: Absent; the skill does not define clear delimiters or provide instructions to ignore potential commands embedded within the code or artifacts being reviewed.
- Capability inventory: The agent has access to the Bash tool, which it uses to run the skill's internal logic and helper scripts.
- Sanitization: None; there is no evidence of sanitization or validation of the content ingested from the codebase or artifacts.
Audit Metadata