receiving-code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is explicitly designed to ingest and act upon feedback from 'External Reviewers,' creating a major surface for Indirect Prompt Injection.
- Ingestion points: Untrusted content enters the context through the 'External Reviewers' processing logic defined in
SKILL.md. - Boundary markers: Absent. There are no instructions to delimit external feedback or treat it as low-privilege data.
- Capability inventory: The agent is instructed to 'implement' code changes (file system write) and 'test each fix' (likely subprocess execution), and is provided with specific patterns for using the
gh apitool. - Sanitization: Absent. The skill relies on the agent's reasoning ('be skeptical') rather than technical sanitization or validation of the input.
- COMMAND_EXECUTION (MEDIUM): The skill instructs the agent to perform actions such as 'implementing' fixes and 'testing,' which typically involve shell command execution. It also explicitly provides a command pattern for
gh apiinteractions. These capabilities, while intended for legitimate use, represent a high-risk impact if the agent is compromised via the aforementioned prompt injection surface.
Recommendations
- AI detected serious security threats
Audit Metadata