iterative-code-review
Warn
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands such as
git branchandgit diffto analyze the repository state and changes. - [COMMAND_EXECUTION]: The
target_branchparameter is directly interpolated into shell commands (e.g.,git --no-pager diff origin/<target_branch>...HEAD). If a user provides a malicious branch name containing shell metacharacters like;,&&, or|, it could lead to arbitrary command execution on the host system. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. \n
- Ingestion points: The agent reads and processes the output of
git diff, which contains untrusted code from external contributors or branches. \n - Boundary markers: While the prompt instructs sub-agents to "only analyze the diff", there are no robust delimiters or escaping mechanisms to prevent malicious instructions within the code from being interpreted as commands by the AI. \n
- Capability inventory: The skill possesses the capability to execute shell commands and write changes to local files, which could be abused if an injection is successful. \n
- Sanitization: No sanitization is performed on the diff content before it is processed by the AI sub-agents.
Audit Metadata