code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection. • Ingestion points: The skill ingests untrusted code content through 'git diff' commands in SKILL.md. • Boundary markers: There are no delimiters or 'ignore' instructions provided to the subagent to isolate the untrusted code changes from the review logic. • Capability inventory: The skill executes shell commands (git) and its output determines critical review verdicts (APPROVED vs. NEEDS_CHANGES), which may influence automated CI/CD processes or developer trust. • Sanitization: No sanitization or filtering is performed on the diff content before it is passed to the LLM.
- [COMMAND_EXECUTION] (LOW): The skill executes shell-based git commands like 'git rev-parse' and 'git diff'. While positional arguments are verified for existence, the reliance on shell execution for external data increases the attack surface.
Recommendations
- AI detected serious security threats
Audit Metadata