code-review-expert
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands to manage the review lifecycle. As shown in SKILL.md (Phase 1 and 4), it executes git worktree add and git worktree remove to create and cleanup isolated environments in the /tmp directory.
- [EXTERNAL_DOWNLOADS]: The system fetches external content via the Context7 MCP tools (resolve-library-id and get-library-docs) to verify third-party API usage. This behavior is documented in references/context7-integration.md and is used to mitigate model hallucinations.
- [PROMPT_INJECTION]: The skill exhibits vulnerability to indirect prompt injection through its data ingestion pipeline. Ingestion points: The sub-agents read untrusted source code files from user repositories using the Read tool. Boundary markers: No explicit delimiters or instructions are provided to help agents differentiate between code and potentially malicious embedded instructions. Capability inventory: The agents possess the ability to read files and the main agent can execute bash commands for environment cleanup. Sanitization: No sanitization or escaping of the ingested code content is performed before analysis.
Audit Metadata