external-llm-review
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill gathers source code changes via
git diffand project context fromCLAUDE.mdand.agents/lessons/, then transmits this information to external APIs through thecodexandgeminicommand-line tools. This represents a potential exposure of proprietary code to third-party services.\n- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It interpolates unvalidated content fromgit diffdirectly into a review prompt without boundary markers or sanitization, which could allow malicious code comments to manipulate the model's review verdict.\n - Ingestion points:
git diffand local project documentation (SKILL.md)\n - Boundary markers: Absent\n
- Capability inventory: Shell execution of external LLM CLIs (
codex exec,gemini)\n - Sanitization: Absent\n- [COMMAND_EXECUTION]: The skill invokes several local system commands to gather context and interact with external tools, including
git,cat,ls,codex, andgemini.
Audit Metadata