auto-review-loop
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses the sensitive file path
~/.claude/feishu.json. Reading from hidden configuration directories in the user's home folder is a high-risk pattern as these files often store sensitive information such as API keys, authentication tokens, or service credentials. - [REMOTE_CODE_EXECUTION]: The skill implements an autonomous 'review and fix' loop that generates and runs code. In Phase C ('Implement Fixes'), the skill uses
Write,Edit, andBashtools to modify local scripts and execute them based on 'Action items' received from an external AI model (gpt-5.4via Codex MCP). This creates a critical surface for executing arbitrary code if the external model provides malicious instructions. - [COMMAND_EXECUTION]: The skill makes extensive use of the
Bash(*)tool to perform powerful system operations, including deploying experiments to remote GPU servers via SSH and managing background processes withscreenandtmux. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests external data (the reviewer's 'Action items') and applies these instructions directly to the project environment via code modification tools without a human-in-the-loop verification step or sanitization of the proposed fixes.
Recommendations
- AI detected serious security threats
Audit Metadata