requesting-code-review
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill is designed to ingest external, potentially untrusted content such as placeholders and git diffs.
- Ingestion points: Variables such as {WHAT_WAS_IMPLEMENTED}, {PLAN_OR_REQUIREMENTS}, and {DESCRIPTION} in SKILL.md, along with the source code diffs between BASE_SHA and HEAD_SHA.
- Boundary markers: Absent. No delimiters are used to separate untrusted content from instructions.
- Capability inventory: The skill directs the agent to 'Act on feedback' and 'Fix Critical issues immediately.' This creates a risk where malicious instructions embedded in code comments or PR descriptions could influence the agent's subsequent write/execute actions.
- Sanitization: No sanitization or validation of input variables is described.
- Command Execution (LOW): The skill utilizes standard git commands (rev-parse, log, awk) to manage commit history. While these execute subprocesses, they are restricted to local repository metadata and are standard for the described purpose.
Audit Metadata