review-loop
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted workspace data without sufficient safeguards.
- Ingestion points: Data from git diff, git status, and file contents enters the agent context in Phase 2 via the Reviewer and Dev agent prompts in SKILL.md.
- Boundary markers: There are no explicit markers or instructions to treat workspace data as data only and ignore embedded instructions.
- Capability inventory: The Dev Agent has full read-write access to the workspace, allowing it to modify files or execute commands based on instructions from the previous steps.
- Sanitization: The skill does not sanitize or escape the workspace data before interpolating it into the prompts.
Audit Metadata