review
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). Evidence: 1. Ingestion points: Pull request diffs via gh pr diff, staged changes via git diff, and file contents via read (SKILL.md). 2. Boundary markers: Absent; the skill does not use delimiters or instructions to ignore instructions found within the reviewed code. 3. Capability inventory: The agent can use Bash, SendMessage, TeamCreate, and TaskCreate. 4. Sanitization: None. Specialist sub-agents may follow instructions embedded in the code files being reviewed.
- [COMMAND_EXECUTION]: The gatherContext workflow in SKILL.md is vulnerable to shell command injection. The instructions direct the agent to interpolate the $ARGUMENTS variable directly into shell command strings such as gh pr diff $target and git diff main...$target. If the input contains shell metacharacters (e.g., semicolons, backticks, or pipes), it could lead to arbitrary command execution via the allowed Bash tool.
Audit Metadata