backend-reviewer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Prompt Injection (HIGH): The skill is susceptible to Indirect Prompt Injection. It is designed to read and analyze untrusted external code, which could contain instructions specifically crafted to deceive the agent or exploit its tool-calling capabilities.
- Unverifiable Dependencies & Remote Code Execution (HIGH): The skill utilizes
npm run buildandnpm run lintwithin its workflow. These commands execute scripts defined in thepackage.jsonfile of the repository being reviewed. If the repository is malicious, it can execute arbitrary shell commands on the agent's host environment during the review process. - Indirect Prompt Injection (HIGH): Mandatory Evidence Chain:
- Ingestion points: The skill ingests untrusted data via
Read,Grep,Glob, andgit diffcommands when accessing the repository code. - Boundary markers: Absent. There are no instructions to the agent to treat the code content as data rather than instructions.
- Capability inventory: High. The agent has access to
Bash(git:*),Bash(npm:*), and specific commands likenpm run buildwhich trigger script execution. - Sanitization: Absent. There is no validation or filtering of the repository's configuration files (like
package.json) before execution. - Command Execution (MEDIUM): The skill explicitly allows for the execution of bash commands. While scoped to
gitandnpm, the potential for abuse within those scopes remains high if triggered by malicious external input.
Recommendations
- AI detected serious security threats
Audit Metadata