performance-testing-review-ai-review
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to ingest untrusted external data from pull request descriptions and code diffs, which are then interpolated directly into prompts for AI models. This creates a surface for indirect prompt injection where an attacker could embed malicious instructions in code comments or PR metadata to manipulate the automated review or downstream actions.\n
- Ingestion points: Untrusted data enters the agent via the
code_diff,pr_description, andstatic_resultsvariables used in thereview_promptand within theCodeReviewOrchestratorPython class.\n - Boundary markers: The prompts use basic markdown formatting (e.g.,
**Modified Code:**) as delimiters, but they lack robust structural separation or explicit instructions for the model to treat the ingested content as data rather than instructions.\n - Capability inventory: The skill has the capability to execute local binary tools (via
subprocess) and interact with the GitHub API to post comments and request changes on pull requests.\n - Sanitization: The provided scripts do not include logic for sanitizing, escaping, or length-limiting the untrusted input before it is concatenated into prompts.
Audit Metadata