code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill instructs the agent to run
cargo testandcargo benchas part of its 'Agent PR Checklist'. In Rust, test suites and build scripts (build.rs) can contain arbitrary code that executes on the host. If an attacker submits a malicious Pull Request, the agent will execute the attacker's code locally during the review process. - [PROMPT_INJECTION] (HIGH): This skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: The skill ingests untrusted data from PR descriptions, code files, and related issues.
- Boundary markers: Absent. The skill does not define delimiters or provide instructions for the agent to ignore embedded commands within the code being reviewed.
- Capability inventory: The skill grants the agent the ability to execute shell commands (
cargo test,cargo bench, etc.) which provides a direct path from data ingestion to execution. - Sanitization: Absent. There is no requirement for the agent to validate or sandbox the code before execution.
- [COMMAND_EXECUTION] (MEDIUM): The 'Checklist Verification Commands' section explicitly directs the agent to use shell commands. While these are standard tools, the lack of environment isolation when running them against external, untrusted source code is a dangerous practice.
Recommendations
- AI detected serious security threats
Audit Metadata