Skills
skills/laststance/skills/x-agents-cross-review/Gen Agent Trust Hub

x-agents-cross-review

Fail

Audited by Gen Agent Trust Hub on May 1, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill explicitly instructs the agent launcher to operate in a mode designed to circumvent security controls.
  • Evidence: In SKILL.md (Phase 3: Agent Launch), the agent configuration includes mode: "bypassPermissions". This is a direct attempt to override platform-level permission checks or safety filters.
  • [PROMPT_INJECTION]: Surface for indirect prompt injection via ingestion of untrusted external material.
  • Ingestion points: SKILL.md (Phase 1) gathers data from Notion, GitHub PRs, and OpenAPI specs.
  • Boundary markers: Absent. The Agent Prompt Template in SKILL.md directly interpolates {context_material} and {file_list_or_spec} into the prompt without using delimiters or instructions to ignore embedded commands.
  • Capability inventory: The sub-agents have access to powerful tools including git, gh (GitHub CLI), curl, and various code analysis tools (find_symbol, search_for_pattern).
  • Sanitization: Absent. There is no evidence of filtering or validation of the content retrieved from external sources before it is passed to the sub-agents.
  • [COMMAND_EXECUTION]: The skill utilizes shell commands and specialized tools to access sensitive project data.
  • Evidence: SKILL.md (Phase 1) lists usage of git diff, gh pr view, and mcp__claude_ai_Notion__notion-fetch. While these are for the stated purpose of code review, their use in conjunction with the permission bypass and lack of data sanitization increases the risk profile.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 1, 2026, 12:54 AM