review-fix-loop
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically executes commands derived from user input or parsed from project configuration files (e.g.,
package.json,pyproject.toml,Makefile,Justfile). If a repository contains malicious configuration files, the skill could be tricked into executing arbitrary code when it attempts to run lint or test commands. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection during the subagent dispatch phase in Step 7.
- Ingestion points: The skill captures stdout and stderr from external tools in Step 3 (SKILL.md) and parses them for findings.
- Boundary markers: The prompt template in Step 7 lacks explicit delimiters or instructions to ignore embedded commands within the
<fix_instructions>variable. - Capability inventory: Subagents are explicitly tasked with editing file content (Step 7 in SKILL.md).
- Sanitization: No sanitization or safety checks are performed on the tool output before it is interpolated into the instructions for the subagent.
Audit Metadata