Skills
skills/lee-to/ai-factory/aif-review/Gen Agent Trust Hub

aif-review

Warn

Audited by Gen Agent Trust Hub on May 2, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Potential command injection in git and github-cli tool usage. The skill instructions direct the agent to execute shell commands using unquoted user-supplied arguments such as git rev-parse --verify <argument>, gh pr view <number>, gh pr diff <number>, and git log <ref>..HEAD. If the user input contains shell metacharacters and the execution environment does not provide automatic sanitization, this could lead to arbitrary command execution.
  • [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by instructing the agent to read and prioritize project-local instructions. It mandates reading .ai-factory/skill-context/aif-review/SKILL.md and explicitly states that project-specific rules in this file should win over the skill's general instructions. This creates a mechanism for a malicious repository to hijack the agent's behavior during the review process.
  • Ingestion points: .ai-factory/skill-context/aif-review/SKILL.md (via the Read tool) and repository content (via git diff and gh pr diff).
  • Boundary markers: Absent. The skill provides no instructions for using delimiters or ignoring embedded instructions in external data.
  • Capability inventory: Bash tool usage (restricted to git and gh subcommands), file system access (Read, Glob, Grep), and user interaction (AskUserQuestion).
  • Sanitization: Absent. There is no requirement for the agent to sanitize or validate the content of the project-level rules or the code being reviewed.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 2, 2026, 06:45 AM