brutal-honesty-review
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The SKILL.md file defines a 'Minimum Findings Enforcement' rule that instructs the agent to 'ALWAYS find something' and escalate if fewer than three findings are identified, creating a behavioral bias that may override objective assessment.
- [PROMPT_INJECTION]: The skill processes untrusted user-provided code without explicit boundary markers or sanitization, exposing the agent to indirect prompt injection where malicious instructions in the reviewed code could influence output.
- [COMMAND_EXECUTION]: The skill includes scripts/assess-code.sh and scripts/assess-tests.sh which execute system utilities like grep, awk, and wc on target files.
- [COMMAND_EXECUTION]: The scripts/assess-tests.sh file executes 'npm test' and 'npm run test:coverage'. If used on untrusted code, this allows the project's package.json configuration to execute arbitrary malicious scripts in the environment.
Audit Metadata