multi-review-aggregation
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it aggregates content from independent code reviews, which are treated as untrusted data inputs.
- Ingestion points: Reviewer reports are fetched via the
bd commentscommand inaggregator-prompt.md. - Boundary markers: Findings are identified using
[CODE-REVIEW-N/N]tags, but the aggregator prompt lacks robust delimiters or sanitization logic to prevent embedded instructions in the reviews from influencing the subagent. - Capability inventory: The aggregation task has the authority to write files to the
temp/directory and execute bash commands via thebdtoolset as seen inaggregator-prompt.md. - Sanitization: No evidence of input validation, filtering, or escaping is applied to the reviewer comments before they are processed by the model.
- [COMMAND_EXECUTION]: The skill executes bash commands to interact with the task's environment. These executions appear to be legitimate uses of the platform's internal toolset.
- Evidence: Calls to
bd commentsandbd comments addare utilized inaggregator-prompt.mdandreferences/dispatch-code.mdto retrieve and persist review data.
Audit Metadata