Skills
skills/leeovery/claude-technical-workflows/start-review/Gen Agent Trust Hub

start-review

Fail

Audited by Gen Agent Trust Hub on Feb 22, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): Potential for arbitrary command execution in references/invoke-skill.md. The skill executes .claude/hooks/workflows/write-session-state.sh "{topic}" ..., where {topic} is a value parsed from the frontmatter of local plan.md files via discovery.sh. A malicious file could include shell metacharacters in the topic field (e.g., test\"; touch /tmp/pwned; \") to execute commands when the session state is saved.
  • [PROMPT_INJECTION] (LOW): Indirect prompt injection surface. The skill reads and processes metadata from multiple user-controlled Markdown files in the project workspace.
  • Ingestion points: The scripts/discovery.sh script extracts fields such as topic, status, and plan_id from files in docs/workflow/planning/.
  • Boundary markers: Missing. Data is extracted and presented to the agent as YAML without delimiters or safety warnings to ignore instructions within the data.
  • Capability inventory: The skill has access to the Bash tool and executes several local shell scripts (discovery.sh, system-check.sh, write-session-state.sh).
  • Sanitization: There is no evidence of sanitization or validation of the extracted metadata before it is used in prompts or shell command strings.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 22, 2026, 08:17 PM