doc-review
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it interpolates untrusted file content into its analysis prompt.\n
- Ingestion points: The content of the document being reviewed is loaded into the
${FILE_CONTENT}variable inreferences/codex-prompt-doc.mdandreferences/review-loop-doc.md.\n - Boundary markers: The document content is delimited by triple backticks (```), but there are no explicit instructions to the AI to treat the content as data only or to ignore any instructions found within that content.\n
- Capability inventory: The skill has access to
Bash(git:*),Read,Grep, andGlobtools. Furthermore, the prompt inreferences/codex-prompt-doc.mdexplicitly encourages the AI to use commands likels,grep, andcatto research the project, which could be exploited by an attacker-controlled document to perform unauthorized file system reconnaissance.\n - Sanitization: There is no evidence of sanitization or filtering of the document content before it is processed by the AI.\n- [COMMAND_EXECUTION]: The skill executes system commands to perform its technical spec audit.\n
- Evidence: The skill utilizes
Bash(git:*),Read,Grep, andGlobtools. These are used to read files, detect git-modified documents, and verify documentation consistency against the source code. While appropriate for the task, these capabilities provide the surface area for exploitation via injection.
Audit Metadata