code-review
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill instructs users to install external packages 'llm' and 'llm-claude-3' from PyPI. Installing unpinned external dependencies at runtime introduces a supply chain risk where malicious updates could be executed.
- Dynamic Execution (MEDIUM): The skill relies on several local shell scripts (e.g., './scripts/extract-changes.sh', './scripts/llm-review.sh') which are not provided in the skill definition. Executing these scripts allows for arbitrary command execution within the agent's environment.
- Data Exposure & Exfiltration (LOW): Sensitive source code diffs are stored in '/tmp/pr-diff.txt', making them potentially accessible on multi-user systems. The skill is also designed to send these diffs to third-party LLM providers (OpenAI and Anthropic).
- Indirect Prompt Injection (LOW): The skill processes untrusted code diffs from external contributors. Maliciously crafted code comments or documentation could contain instructions designed to influence the LLM's review verdict. Evidence: 1. Ingestion points: Output from 'git diff' of repository changes. 2. Boundary markers: None specified to separate code from instructions. 3. Capability inventory: Execution of local scripts, file system access, and network communication via the 'llm' tool. 4. Sanitization: No sanitization of diff content is performed before review.
Audit Metadata