code-review
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is designed for defensive security auditing of code changes. It explicitly instructs the agent to detect hardcoded secrets and input validation vulnerabilities.- [COMMAND_EXECUTION]: The skill utilizes the 'date' command to provide temporal grounding when evaluating security vulnerabilities (CVEs). This is a safe use of system commands for accuracy.- [PROMPT_INJECTION]: The skill processes untrusted pull request code, descriptions, and CI status, creating an indirect prompt injection surface. The use of a rigid output format and focused technical persona serves as a mitigation. Evidence: 1. Ingestion points: Pull request files, descriptions, and CI logs (SKILL.md). 2. Boundary markers: Absent. 3. Capability inventory: 'date' command execution. 4. Sanitization: Absent.- [DATA_EXFILTRATION]: The skill references conversation links from the official vendor domain (app.all-hands.dev), which is a legitimate vendor resource.
Audit Metadata