requesting-code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The file
code-reviewer.mdcontains shell commands (git diff --stat {BASE_SHA}..{HEAD_SHA}) where the placeholders are directly interpolated. If an attacker can influence the values ofBASE_SHAorHEAD_SHA(e.g., via a malicious PR title or commit message that the primary agent parses), they can execute arbitrary shell commands on the system. - PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). The subagent is instructed to review code and requirements which are external, untrusted sources.
- Ingestion points: The subagent ingests arbitrary code via
git diffand requirements via the{PLAN_OR_REQUIREMENTS}placeholder. - Boundary markers: None. There are no delimiters (e.g., XML tags or triple backticks with 'ignore instructions' warnings) to separate the reviewer's instructions from the code being reviewed.
- Capability inventory: The subagent has shell execution capabilities (
git diff) and its output directly influences developer decisions ('Ready to merge?'). - Sanitization: None. The skill does not escape or validate the content of the files or SHAs before processing.
- DATA_EXFILTRATION (MEDIUM): Because the reviewer subagent has access to the full
git diffand (typically) network access to report its findings, a malicious instruction embedded in the code being reviewed could command the subagent to exfiltrate the source code to a remote server.
Recommendations
- AI detected serious security threats
Audit Metadata