code-review
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill is vulnerable to command injection through indirect prompt injection. In
SKILL.md, the agent is instructed to pass summaries of code changes (CHANGESET_SUMMARY,CODE_REVIEW_SUMMARY) as arguments to a bash script. If an attacker crafts a malicious code change that tricks the agent into including shell-sensitive characters like$(...)or backticks in the summary, the shell executing the command will perform command substitution and execute arbitrary code on the host machine. - [DATA_EXFILTRATION]: Sensitive developer information is exposed locally. The
scripts/collect-metrics.shscript retrieves the user's Git username (git config user.name), email address (git config user.email), and the remote origin URL. This data is written to a file in/tmp/metrics_code-review_*.sh. On most systems, the/tmpdirectory is accessible to all users, meaning any other user or process on the machine could harvest the developer's identity and repository links.
Recommendations
- AI detected serious security threats
Audit Metadata