code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to indirect prompt injection (Category 8) due to its core function of processing untrusted external content with subsequent write and execute actions.
- Ingestion points: The skill reads arbitrary file contents and git diff outputs in Phase 2, Step 1.
- Boundary markers: No explicit delimiters or instructions are present to prevent the agent from obeying commands embedded within the code files.
- Capability inventory: The skill has file-write access (docs/reviews/) and subprocess execution capabilities (git).
- Sanitization: No sanitization or content validation is performed on the ingested data.
- [COMMAND_EXECUTION] (LOW): The skill executes 'git' subprocesses using arguments like file paths and commit hashes. Without strict pattern validation, this creates a potential surface for command argument injection.
Recommendations
- AI detected serious security threats
Audit Metadata