gemini-review
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data which creates a surface for indirect prompt injection. Malicious instructions embedded in code comments, commit messages, or PR descriptions could attempt to override the reviewer's persona or bias the review results.
- Ingestion points: Untrusted data enters the prompt via
git diff(branches/commits),cat(untracked files and context files), andgh pr view(PR descriptions) inscripts/gemini-review.sh. - Boundary markers: The script uses descriptive delimiters such as
=== PR DESCRIPTION ===,ADDITIONAL CONTEXT:, andCODE CHANGES TO REVIEW:to separate untrusted data from instructions. - Capability inventory: The skill executes local commands (
git,gh,gemini) and the Gemini model is explicitly set toplan(read-only) mode, preventing the injection from performing modifications. - Sanitization: No sanitization or escaping is applied to the ingested content before it is interpolated into the large language model prompt.
- [COMMAND_EXECUTION]: The script
scripts/gemini-review.shinvokes several system commands includinggit,gh(GitHub CLI), and ageminiCLI tool. These operations are required for the skill's primary purpose but rely on the integrity of the user's PATH and the security of the underlying tools.
Audit Metadata