create-review
Warn
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically generates multiple bash scripts (
pack.sh,render-prompt.sh,copy-prompt.sh) and saves them to the.chalk/reviews/scripts/directory. These scripts are then made executable usingchmod +xand invoked via the Bash tool to perform git operations and manage prompt files. The reviewer argument is sanitized to a kebab-case string to prevent command injection at the prompt interface. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by incorporating external data into the generated AI prompts.
- Ingestion points: The skill ingests data from the local environment via
git diff,git log, andgit status, as well as from local files such ashandoff.mdand user-supplied reviewer templates (SKILL.md). - Boundary markers: The generated prompt uses markdown headers (e.g.,
## Review Pack,## Handoff) and code blocks to separate different data sections. However, it lacks explicit instructions or system-level delimiters to prevent the reviewer agent from following instructions embedded within the codebase being reviewed. - Capability inventory: The skill utilizes the
Bash,Write,Read,Glob, andGreptools. It has the capability to write files, execute scripts, and interact with the system clipboard using tools likepbcopy,xclip, orwl-copy(SKILL.md). - Sanitization: The reviewer name is sanitized to prevent shell injection, but the contents of git diffs and handoff files are interpolated directly into the final prompt file without further sanitization or escaping of potentially malicious instructional content.
Audit Metadata