requesting-code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8).\n
- Ingestion points: code-reviewer.md ingests untrusted data via {WHAT_WAS_IMPLEMENTED}, {PLAN_OR_REQUIREMENTS}, and {DESCRIPTION}.\n
- Boundary markers: Absent. There are no delimiters or specific instructions to treat variable content as data only, making it possible for the subagent to follow embedded instructions.\n
- Capability inventory: The agent is instructed to 'Act on feedback' and 'Fix Critical issues immediately', which grants the capability to modify the codebase based on potentially poisoned reviewer feedback.\n
- Sanitization: None observed for any input variables.\n- COMMAND_EXECUTION (HIGH): Vulnerability to command injection in shell templates.\n
- The file code-reviewer.md uses {BASE_SHA} and {HEAD_SHA} directly within bash command blocks (git diff). If these variables are supplied from untrusted sources without strict validation as hex SHAs, an attacker could inject arbitrary commands using shell metacharacters (e.g., '; rm -rf /').
Recommendations
- AI detected serious security threats
Audit Metadata