code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary function is to ingest and analyze untrusted external content, creating a significant attack surface for indirect prompt injection.
- Ingestion points: Processes Ruby source code (
*.rb),git diffoutputs, and Markdown design specifications (.steering/**/design.md). - Boundary markers: Absent. The skill instructions do not define delimiters (e.g., XML tags or triple backticks with 'ignore' warnings) to separate analysis instructions from the data being analyzed.
- Capability inventory: Generates detailed review reports that influence critical decisions (merging code). If used in an automated pipeline, malicious instructions in a PR could bypass security gates.
- Sanitization: Absent. There is no mechanism to prevent the agent from obeying Natural Language instructions hidden within the code or comments it is tasked to review.
- Data Exposure (LOW): The skill is intentionally designed to access sensitive project files (specs, code, and potentially
.envfiles for detection). While this is the intended functionality, it grants the agent broad read access to the filesystem, which could be abused if the agent is compromised via the aforementioned injection vector.
Recommendations
- AI detected serious security threats
Audit Metadata