ln-005-multi-agent-context-review
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill extracts technology topics and stack hints from provided context files (Step 7b, 7c) and uses them to construct queries for external research tools, including web search engines (Step 7d). If context files contain sensitive internal identifiers, proprietary library names, or confidential architectural details, these could be exfiltrated to third-party search providers.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from
context_filesand conversation history, which is then passed to external reviewing agents (Codex and Gemini). - Ingestion points:
context_filesparameter and conversation content materialized to.agent-review/context/. - Boundary markers: No specific delimiters or instructions are defined to prevent the external agents from obeying instructions embedded within the user-provided context.
- Capability inventory: The skill possesses file-reading capabilities (7b, 7c), file-writing/editing capabilities (7e), and network access via research tools (7d).
- Sanitization: No sanitization or filtering is performed on the context content before it is processed by the agents.
- [COMMAND_EXECUTION]: The 'surgical edit' feature in Step 7e allows the agent to automatically modify local project files based on findings from external agents and research tools. While Plan Mode requires user approval, the automated generation and application of file modifications based on untrusted input sources presents a risk of malicious code injection if the input files or research results are manipulated.
Audit Metadata