review-and-refactor
Fail
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: CRITICALPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill explicitly instructs the agent to read and follow guidelines from external files (
.github/instructions/*.mdand.github/copilot-instructions.md). This establishes a surface for indirect prompt injection where an attacker with write access to the repository could embed malicious instructions to manipulate the agent's behavior during the refactoring process. - Ingestion points: The agent reads content from
.github/instructions/*.mdand.github/copilot-instructions.md. - Boundary markers: None. The instructions do not define delimiters or warnings to ignore embedded commands within those files.
- Capability inventory: The agent has the capability to read files, write/refactor code, and execute shell commands to run tests.
- Sanitization: There is no evidence of sanitization or validation logic for the instructions retrieved from these files.
- [COMMAND_EXECUTION]: The task requires the agent to "ensure they [tests] are still passing after your changes," which implies the execution of test runners (e.g., npm test, pytest). This allows for the execution of arbitrary code defined within the project's test files.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata