code-review
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from story files and repository source code (references/workflow.md, Step 1 and 3) without explicit boundary markers or sanitization.
- Ingestion points: Story files (Markdown) and application source code are read directly into the agent's context.
- Boundary markers: Absent; the instructions do not define delimiters or warnings to ignore instructions embedded within the reviewed content.
- Capability inventory: The agent is empowered to write to files to "Fix all HIGH and MEDIUM issues" and update project status files (references/workflow.md, Step 4 and 5).
- Sanitization: Absent; no validation or filtering is applied to the ingested external content.
- [COMMAND_EXECUTION]: The skill utilizes local git commands (
git status,git diff) to discover changes in the project repository. These commands are used for metadata discovery and are consistent with the skill's primary function. - [SAFE]: The skill follows security best practices by explicitly excluding IDE and CLI configuration folders (e.g., .cursor/, .windsurf/, .claude/) from its analysis and modification scope, preventing accidental tampering with environment settings.
Audit Metadata