review-changes
Warn
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Phase 1.1 executes a shell pipeline using the $ARGUMENTS variable to generate a session name. If the agent's execution environment performs direct string interpolation into the shell without escaping, a user could execute arbitrary commands through crafted arguments.\n- [PROMPT_INJECTION]: Phase 3 reads *.findings.md files and extracts "Suggested fix" content to apply code changes via the Edit tool. This is an indirect prompt injection surface where a malicious reviewer file could influence the agent's code modifications.\n
- Ingestion points: Phase 3, Step 3.1 and 3.2 (reading findings from the .chalk/reviews/sessions/ directory).\n
- Boundary markers: Absent.\n
- Capability inventory: Edit tool (Phase 3.4), Bash tool (Phase 1.1 and 1.5), Write tool (Phase 1.6 and 3.5).\n
- Sanitization: Path validation and mandatory user confirmation before each edit (Phase 3.4.4).\n- [COMMAND_EXECUTION]: Phase 1.5 automatically detects and runs build, test, and lint commands based on repository configuration files (e.g., package.json, Makefile), allowing for the execution of commands defined in project metadata.
Audit Metadata