bug-review
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Vulnerability to indirect prompt injection via the ingestion of untrusted data from pull request diffs and repository files. A sophisticated attacker could embed instructions within code changes to influence the AI's review findings or manipulate the automated autofix generation. Mandatory Evidence: (1) Ingestion points: 'scripts/fetch-pr.sh' (PR diff) and 'scripts/gather-context.sh' (repository source files). (2) Boundary markers: Absent in the prompts defined in 'references/review-passes.md'. (3) Capability inventory: 'Edit' tool for autofixes, Git commit/push capabilities via 'Bash', and GitHub API interaction. (4) Sanitization: None identified. This risk is partially mitigated by the 5-pass parallel review architecture with majority voting and an independent validator using a different model (Opus).
- [COMMAND_EXECUTION]: The skill executes multiple local shell scripts for repository discovery, metadata fetching, and Git operations. During the optional autofix phase, it may also execute project-specific test suites (e.g., 'npm test', 'pytest', 'go test'). These actions are governed by user approval checkpoints and security hooks in 'hooks/hooks.json' that explicitly block destructive operations like 'git push --force'.
Audit Metadata