receiving-code-review
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and act upon code review feedback from external sources, making it vulnerable to malicious instructions embedded in review comments. It possesses the capability to modify files and execute tests. 1. Ingestion points: Code review feedback (SKILL.md, external-reviewer-protocol.md). 2. Boundary markers: None; untrusted feedback is processed as instructions. 3. Capability inventory: Subprocess execution (testing fixes), file system writing (IMPLEMENT task), and GitHub API calls (gh api). 4. Sanitization: None; the skill relies on the agent's reasoning to 'verify' rather than technical filtering.
- [Command Execution] (MEDIUM): The skill invokes system commands including
gh api(references/acknowledgment-and-responses.md) andgrep(references/external-reviewer-protocol.md). These commands use context-dependent arguments that could be manipulated if an attacker can influence the metadata or file paths through malicious feedback.
Recommendations
- AI detected serious security threats
Audit Metadata