code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a high-risk attack surface because it ingests untrusted code and has the capability to execute it using system tools. \n
- Ingestion points: The skill processes external Rust source code and Pull Request data as defined in the 'Review Workflow'. \n
- Boundary markers: Absent. The instructions do not define any delimiters or system-level isolation for the untrusted code being reviewed. \n
- Capability inventory: The skill explicitly commands the agent to execute
cargo fmt,cargo clippy,cargo test, andcargo benchin theSKILL.mdfile. \n - Sanitization: Absent. There is no validation or sandboxing of the code before it is passed to the build system. \n
- Analysis: In the Rust ecosystem,
cargo testandcargo clippyautomatically executebuild.rsscripts and compiled test binaries. A malicious PR can include abuild.rsthat executes arbitrary shell commands on the host system during the mandated review process. \n- [Command Execution] (HIGH): The skill directs the agent to execute arbitrary shell commands on untrusted input. \n - Evidence: The 'Checklist Verification Commands' section in
SKILL.mdprovides the specificbashcommands to be executed. \n - Risk: Since these commands are run against a project that may contain malicious configurations, it directly facilitates RCE.
Recommendations
- AI detected serious security threats
Audit Metadata