receiving-code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection because it explicitly processes untrusted data from 'External Reviewers'.
- Ingestion points: External reviewer comments provided via GitHub PRs or similar feedback channels.
- Boundary markers: Absent. The instructions treat external feedback as natural language strings to be 'READ' and 'UNDERSTOOD' without delimiters or safety framing.
- Capability inventory: The skill includes an 'IMPLEMENT' step (implying file write/code modification) and utilizes
gh apifor network interactions (replies). - Sanitization: Absent. There is no logic to filter or sanitize malicious instructions embedded within the feedback text.
- COMMAND_EXECUTION (LOW): The skill utilizes the
greputility for codebase searches and thegh(GitHub) CLI for API interactions. While these are legitimate tools for the task, they represent the execution surface available to the agent if an indirect injection succeeds.
Recommendations
- AI detected serious security threats
Audit Metadata