code-security-audit
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it interpolates untrusted code changes (diffs and file content) directly into the prompts sent to the Claude model for analysis. While the skill includes instructions for the model to behave as a security auditor, an attacker could craft a pull request containing malicious comments or code designed to override these instructions and hide vulnerabilities.
- Ingestion points: Pull request metadata and diff content are fetched in
claudecode/github_action_audit.pyand passed to the prompt generator. - Boundary markers: The audit prompt in
claudecode/prompts.pyuses triple backticks to delimit the PR diff content. - Capability inventory: The skill possesses the capability to execute the
claudeCLI tool viasubprocess.runand interact with the GitHub API to read repository data and post comments. - Sanitization: There is no evidence of sanitization or filtering of the diff content before it is placed into the prompt structure.
- [EXTERNAL_DOWNLOADS]: During its setup process in GitHub Actions (
action.yml), the skill downloads the official@anthropic-ai/claude-codepackage from the npm registry and the GitHub CLI (gh) from official repositories. These are trusted tools from recognized organizations and are essential for the skill's operation. - [COMMAND_EXECUTION]: The skill executes various system commands, including the
claudeCLI for performing the security audit andghfor managing pull request operations. These executions are performed using structured arguments and are consistent with the tool's core functionality as a CI/CD security scanner.
Audit Metadata