Skills
skills/phrazzld/claude-config/review-branch/Gen Agent Trust Hub

review-branch

Warn

Audited by Gen Agent Trust Hub on Feb 27, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a shell command using open on a file path that includes the {branch} name. If a git branch is maliciously named with shell metacharacters (e.g., ;, &, or backticks), it could lead to arbitrary command execution when the agent attempts to open the visual deliverable.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted input in the form of git diff output and passes it directly to multiple AI reviewer personas. This creates a surface where an attacker can embed malicious instructions in code comments or strings to manipulate the review or the agent's behavior.
  • Ingestion points: The git diff output is used as the primary input for all reviewer agents defined in references/reviewer-prompts.md.
  • Boundary markers: The templates use headers like [DIFF] but do not provide explicit instructions to the AI agents to ignore or sanitize embedded instructions within that content.
  • Capability inventory: The skill possesses the ability to execute shell commands (git, open) and read/write to the filesystem (e.g., ~/.agent/diagrams/), which could be abused if an injection is successful.
  • Sanitization: No sanitization is performed on the branch name or the diff content before they are used in shell commands or prompt templates.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 27, 2026, 02:26 PM