code-reviewer
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFENO_CODE
Full Analysis
- [NO_CODE]: The skill is composed entirely of markdown instructions and YAML metadata. It does not include any executable scripts, binaries, or configuration files.
- [COMMAND_EXECUTION]: The instructions mention the capability to use standard security and static analysis tools such as
npm audit,pip-audit,Snyk, andSemgrep. These references describe the agent's domain expertise and do not represent hidden or malicious command execution. - [EXTERNAL_DOWNLOADS]: The skill references well-known technology platforms and security services including GitHub, GitLab, SonarQube, and Snyk. These are standard references for the intended use case and do not involve downloading untrusted remote code.
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to process external, untrusted data in the form of code changes for review, which presents a surface for indirect prompt injection.
- Ingestion points: The skill processes code snippets, pull request content, and configuration files provided during the review process.
- Boundary markers: No specific delimiters or "ignore instructions" markers are defined in the response instructions for handling code content.
- Capability inventory: The skill describes capabilities for running security audits and static analysis tools if the environment permits.
- Sanitization: There are no explicit instructions for the AI to sanitize or escape potentially malicious instructions embedded within the code it reviews.
Audit Metadata