code-reviewer
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill possesses a significant Indirect Prompt Injection surface (Category 8). It is designed to ingest and analyze untrusted external source code, pull request descriptions, and configuration files, yet it lacks any protective instructions to prevent embedded malicious commands from overriding the agent's logic.
- Ingestion points: External code repositories, PR descriptions, and CI/CD configuration files (as specified in the 'Capabilities' and 'Knowledge Base' sections).
- Boundary markers: Absent. There are no instructions or delimiters (e.g., XML tags or clear separators) to help the agent distinguish between its system instructions and the untrusted data it is reviewing.
- Capability inventory: The skill is intended to influence critical software development workflows, including CI/CD pipeline integration, security scanning, and code merge decisions.
- Sanitization: None. The agent is encouraged to process all content as-is, which could allow a malicious pull request to contain 'Ignore previous instructions' or similar directives that the agent might obey.
- [COMMAND_EXECUTION] (LOW): The skill description mentions the use of various CLI tools (e.g.,
npm audit,pip-audit,bandit). While the markdown itself does not contain executable code, the persona's intent to run these tools on untrusted local code creates a risk of exploitation if the underlying environment is not properly sandboxed.
Recommendations
- AI detected serious security threats
Audit Metadata