proposal-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's core function is to ingest and process external documents which may contain attacker-controlled instructions.
- Ingestion points: Phase 1 (Intake) and Phase 2 (Chunking) involve reading the entire contents of proposals, GitHub PRs, gists, and issues into the agent's context.
- Boundary markers: The skill lacks any instructions to the agent to treat the input as untrusted data. There are no delimiters or 'ignore instructions within the data' warnings.
- Capability inventory: Phase 5 (Output Generation) specifies creating PR review comments and generating companion markdown files (
*-feedback.md). If the agent possesses write permissions to the filesystem or GitHub API, a malicious proposal could instruct the agent to modify unauthorized files, approve its own malicious code, or exfiltrate context through 'feedback' comments. - Sanitization: No sanitization or validation of the input content is performed before the agent processes and 'predicts reactions' to the text.
Recommendations
- AI detected serious security threats
Audit Metadata