cross-model-review
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements strong mitigations against direct prompt injection by wrapping untrusted input in explicit delimiters (
<<<UNTRUSTED_PLAN_CONTENT>>>) and providing senior engineering reviewer instructions to models to treat the content as data only. This is documented inSECURITY.mdand implemented across all templates. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface (Category 8 Evaluation):
- Ingestion points: Implementation plans provided by the user and codebase context gathered by the agent.
- Boundary markers: Present for implementation plans via delimiters; however,
SECURITY.mdexplicitly notes that codebase context does not currently use delimiters. - Capability inventory: The
review.jsscript manages file system operations within the workspace, issue tracking, and approval gating for the broader agent loop. - Sanitization: No content sanitization is performed on the text of the findings, as they are intended for human and AI consumption.
- [DATA_EXFILTRATION]: The skill's primary purpose involves sending implementation plans and codebase context to external AI providers. The skill author includes a dedicated
SECURITY.mdpolicy that correctly identifies this data flow and provides guidance on avoiding the inclusion of secrets, credentials, or PII in plans. - [SAFE]: The core logic in
scripts/review.jsis a zero-dependency Node.js script. It uses standard library modules (fs,path) to manage a local workspace andJSON.parseto evaluate model responses without using dangerous functions likeeval()orexec().
Audit Metadata