review-fix-all
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
bunxto download and execute the@willbooster/agent-skillspackage from the NPM registry. While this package is associated with the skill's author, it represents a dynamic external dependency. - [REMOTE_CODE_EXECUTION]: Executing
@willbooster/agent-skills@latestat runtime constitutes remote code execution, as the package content is not statically bundled with the skill. - [COMMAND_EXECUTION]: Step 1 contains a directive to run the review command with a 1-hour timeout and explicitly commands: 'DO NOT STOP THE COMMAND BEFORE 1 HOUR ELAPSES'. This behavior is highly irregular for a code review utility and could be used to mask long-running background processes such as data exfiltration, cryptomining, or maintaining a persistent connection.
- [PROMPT_INJECTION]: The workflow is vulnerable to indirect prompt injection because it instructs the agent to treat findings from external agents (Codex, Claude Code, Gemini CLI) as instructions for code modification and commits.
- Ingestion points: Terminal output from the
@willbooster/agent-skills reviewcommand in SKILL.md. - Boundary markers: None present to distinguish instructions from data.
- Capability inventory: File system write access, git commit, and git push.
- Sanitization: No sanitization or validation logic is provided beyond a manual 'validity' check by the agent.
- [DATA_EXFILTRATION]: The skill automates code commits and pushes. If the review tool or the agents providing findings are compromised, they could trick the agent into committing and pushing sensitive files (like
.envor credentials) to a remote repository.
Audit Metadata