second-opinion
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to run various git commands for diffing and to invoke external CLI tools like codex and gemini.
- [REMOTE_CODE_EXECUTION]: The Gemini CLI is invoked with the --yolo flag, enabling automatic approval of tool calls generated by the model. This creates a risk where the model, if influenced by malicious code in a diff, could execute arbitrary commands on the system.
- [EXTERNAL_DOWNLOADS]: The skill directs the user to install extensions from third-party GitHub repositories under the gemini-cli-extensions organization, which are not listed as trusted sources. It also references trusted packages from OpenAI and Google.
- [DATA_EXFILTRATION]: Project source code and sensitive context files like CLAUDE.md are read and sent to external LLM APIs for the purpose of the review.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. 1. Ingestion points: Untrusted git diff output is ingested via stdin in SKILL.md and references/gemini-invocation.md. 2. Boundary markers: Uses basic headers such as 'Diff to review:' which do not provide strong isolation. 3. Capability inventory: Access to the Bash tool and automated tool execution via gemini --yolo. 4. Sanitization: No sanitization is performed on the diff content before transmission.
Audit Metadata