review-plan
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes artifacts such as plans, specs, and shells that could contain malicious instructions designed to influence the behavior of the subagents. This indirect prompt injection risk is inherent to tools that analyze user-provided content. 1. Ingestion points: The skill reads files from the .turbo/ directory (plans, shells, specs) and artifact text provided in the conversation context. 2. Boundary markers: Absent. The instructions do not use delimiters or provide instructions to the subagents to treat the ingested artifacts as untrusted content. 3. Capability inventory: Subagents are granted access to read codebase files and configuration (CLAUDE.md) and can invoke the /peer-review skill. 4. Sanitization: None. The content of the artifacts is passed directly to the subagents for analysis.
- [COMMAND_EXECUTION]: The skill utilizes the Agent tool to launch parallel subagents and the Skill tool to call the /peer-review command. These are intended behaviors for orchestrating the review workflow.
- [DATA_EXFILTRATION]: The skill reads project context including CLAUDE.md and codebase files to inform the review process. It also references internal criteria files in the ~/.claude/ directory. While these involve reading potentially sensitive project information, the data is used locally by the agents and is not sent to external domains.
Audit Metadata