requesting-code-review

================================================================================

🟡 VERDICT: MEDIUM

This skill is designed to dispatch a code-reviewer subagent to perform code reviews. The primary security concern identified is the potential for Indirect Prompt Injection. The skill passes several user-provided text fields ({WHAT_WAS_IMPLEMENTED}, {PLAN_OR_REQUIREMENTS}, {DESCRIPTION}) directly to the code-reviewer subagent. A malicious user could embed crafted instructions within these fields to attempt to override or manipulate the subagent's intended behavior (e.g., instructing it to ignore review guidelines or reveal sensitive information).

The skill also instructs the user to execute git diff commands using user-provided BASE_SHA and HEAD_SHA. While git diff is generally robust against command injection via SHAs (as SHAs are fixed-format identifiers), the content of the diff itself, or the SHAs if they were somehow crafted to contain non-SHA text, could potentially be used as a vector for indirect prompt injection into the subagent.

No other critical security issues such as direct prompt injection, data exfiltration, obfuscation, privilege escalation, or persistence mechanisms were detected in the skill's instructions or the subagent's definition.

Total Findings: 1

🟡 MEDIUM Findings: • Indirect Prompt Injection

• SKILL.md (multiple lines): The skill passes user-provided text (e.g., {WHAT_WAS_IMPLEMENTED}, {PLAN_OR_REQUIREMENTS}, {DESCRIPTION}) directly to the code-reviewer subagent. This creates a vector for indirect prompt injection, where a malicious user could attempt to manipulate the subagent's behavior by embedding instructions in these inputs.

================================================================================