review
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core function is to analyze untrusted data in the form of source code from pull requests, branches, or commits.
- Ingestion points: Source code and metadata are ingested from external repositories in Phase 1 (Setup and Context Gathering) and Phase 2 (Parallel Agent Reviews).
- Boundary markers: No explicit delimiters or instructions are provided to the agent to distinguish between code-to-be-analyzed and potential instructions embedded within that code.
- Capability inventory: The skill utilizes powerful tools including 'Bash', 'Write', and 'Task', which could be targeted by successful injection.
- Sanitization: There is no evidence of input validation or sanitization for the code being reviewed.
- [COMMAND_EXECUTION]: The skill uses the 'Bash' tool to perform environment setup tasks such as 'git-worktree'. While standard for the use case, this capability allows for local system interaction based on inputs derived from untrusted code contexts.
Audit Metadata