adversarial-review
Fail
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically constructs shell commands to call the 'codex' and 'claude' CLI tools. Untrusted data from code reviews or diffs is placed inside the command string. If this input contains shell metacharacters (such as backticks, semicolons, or command substitutions), it may trigger arbitrary command execution on the local system.
- Evidence: 'codex exec --skip-git-repo-check -o "$REVIEW_DIR/skeptic.md" "prompt"' (SKILL.md)
- Evidence: 'claude -p "prompt" > "$REVIEW_DIR/skeptic.md"' (SKILL.md)
- [PROMPT_INJECTION]: The skill processes external data (code and planning documents) that may contain hidden instructions, creating a surface for indirect prompt injection.
- Ingestion points: 'recent diffs', 'referenced plans', and 'user messages' from context (Step 2, SKILL.md).
- Boundary markers: Absent. The prompt template concatenates inputs directly without using isolation delimiters.
- Capability inventory: System command execution via external CLI tools (SKILL.md).
- Sanitization: Absent. No escaping or filtering is applied to the 'prompt' variable before it is used in the shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata