code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from code changes and PRs without sanitization or boundary markers.
- Ingestion points: File content accessed via git diff and PR descriptions.
- Boundary markers: Absent.
- Capability inventory: Execution of npm scripts and shell commands (grep, xargs).
- Sanitization: None.
- [Remote Code Execution] (HIGH): The instructions command the agent to run 'npm run test', 'npm run lint', and 'npm run typecheck'. If an attacker modifies the package.json file in a pull request, they can inject malicious shell commands into these scripts which the agent will then execute during the review process.
- [Command Execution] (MEDIUM): The skill uses xargs and grep on filenames obtained from git diff. While relatively safe, it demonstrates a pattern of direct shell interaction with potentially attacker-influenced strings (filenames).
Recommendations
- AI detected serious security threats
Audit Metadata