code-review
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It explicitly directs the agent to ingest and follow instructions from external files (e.g.,
frontend.md,backend.md) found in the reviewed codebase. Ingestion points: External checklist files and the code diff itself. Boundary markers: Absent; the agent is not warned to ignore instructions embedded in these files. Capability inventory: Significant access viaBash,Write,Edit,Task, andRead. Sanitization: None. An attacker can control the agent by placing malicious instructions in the project repository. - [COMMAND_EXECUTION] (MEDIUM): The skill utilizes the
Bashtool to dynamically generate and execute shell commands for directory and report management. While the specific logic provided is for managing temporary files, the combination of shell access and the aforementioned injection vulnerability significantly increases the risk of arbitrary command execution.
Recommendations
- AI detected serious security threats
Audit Metadata