proposal-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection where malicious instructions are embedded within the proposals being reviewed.
- Ingestion points: The skill explicitly processes data from local files, GitHub Pull Requests, Issues, Gists, and external exports in Phase 1 (Intake).
- Boundary markers: Absent. The instructions do not direct the agent to use delimiters or treat the input as non-executable data, increasing the risk that the agent follows instructions hidden in the proposal.
- Capability inventory: The skill has significant write capabilities, including posting PR review comments, issue comments, and creating local files (e.g.,
*-feedback.md) as detailed in Phase 5. - Sanitization: Absent. There are no instructions to sanitize, escape, or filter the content of the documents being processed before they are used in prompts or output.
- [DATA_EXFILTRATION] (LOW): Risk of unauthorized data exposure via feedback loops.
- Description: An attacker could use an indirect prompt injection to trick the agent into including sensitive information (like environment variables or other local file content) in the feedback document or GitHub comment it generates.
Recommendations
- AI detected serious security threats
Audit Metadata