code-review
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted data from external sources. Malicious instructions embedded in code comments, pull request descriptions, or specification documents could potentially influence the agent's behavior.
- Ingestion points: SKILL.md (Step 1, 2, 3) ingests data from local git diffs, remote GitHub pull request descriptions and comments, and user-supplied plan or specification files.
- Boundary markers: Absent. The skill does not define clear delimiters or instructions to the agent to disregard instructions contained within the data being reviewed.
- Capability inventory: SKILL.md (Step 1, 2, 7) performs shell command execution (git, gh) and file system write operations.
- Sanitization: Absent. The skill does not specify sanitization or escaping mechanisms for the external data it processes.
- [COMMAND_EXECUTION]: The skill executes shell commands using standard tools like git and the GitHub CLI (gh) to fetch code changes and pull request information. These operations are essential for the skill's primary function but represent a capability that could be targeted via indirect prompt injection.
Audit Metadata