code-reviewer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill creates a high-risk surface area for indirect prompt injection by processing untrusted external content.
- Ingestion points: Untrusted data enters the agent context through the context block provided to the
codex-subagentcommand, specifically issue/PR numbers and task context. - Boundary markers: The skill uses a shell heredoc (
<<'EOF') to prevent local shell expansion, but it lacks any logical delimiters or instructions to the LLM to ignore embedded malicious instructions within the provided content. - Capability inventory: The skill executes a subagent (
codex-subagent) whose output is "folded back into the main workflow." This means the processed (potentially poisoned) data directly influences the parent agent's decision-making and subsequent tool executions. - Sanitization: There is no evidence of sanitization, filtering, or validation of the input content before it is processed by the subagent.
Recommendations
- AI detected serious security threats
Audit Metadata