adversarial-review
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs and executes shell commands to spawn reviewers using the
codexandclaudeCLI tools. Evidence: Step 3 uses shell snippets such ascodex exec --skip-git-repo-check -o "$REVIEW_DIR/skeptic.md" "prompt". This dynamic assembly of shell commands presents a risk of command injection if external content like code diffs is not correctly escaped before being passed as arguments.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data (code diffs) and interpolates it into prompts for secondary models without using delimiters or sanitization. \n - Ingestion points: Step 3 prompt template includes code or diffs from the current context.\n
- Boundary markers: Absent; there are no specific instructions to the reviewer model to ignore instructions embedded in the code diff.\n
- Capability inventory: The skill executes shell commands, reads local principles and lenses files, and writes to a temporary directory.\n
- Sanitization: No escaping or validation is performed on the code content before prompt interpolation.
Audit Metadata