code-review
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands to interact with the local git environment and run verification tools.\n
- Evidence: SKILL.md utilizes
git rev-parse,git diff, andgit ls-filesto identify the files to be reviewed.\n - Evidence: The Verification section in SKILL.md describes running formatters, linters, and type-checkers on files modified in the session.\n- [REMOTE_CODE_EXECUTION]: The verification process involves executing test suites, which can run arbitrary code from the repository being reviewed.\n
- Evidence: SKILL.md (Verification section) directs the agent to run "targeted tests for impacted modules." If an attacker submits a malicious Pull Request containing compromised test logic, the agent will execute that code on the host system during the verification step.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted external code.\n
- Ingestion points: The skill reads code diffs and file contents as part of its primary workflow (Step 1 in SKILL.md).\n
- Boundary markers: There are no explicit markers or instructions defined to prevent the agent from following instructions embedded within the reviewed code's comments or data.\n
- Capability inventory: The skill has the capability to modify files (via the
--fixargument) and execute shell commands (Verification steps).\n - Sanitization: No sanitization or validation of the input content is performed to filter out potentially malicious instructions.
Audit Metadata