code-review
Warn
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The 'GPT-5.4 Guidance Alignment' section uses a fictitious model version to establish authoritative steering instructions. These instructions direct the agent to treat new tasks as 'local overrides' and to 'continue... automatically,' which encourages the model to bypass existing constraints and minimize human-in-the-loop verification.
- [COMMAND_EXECUTION]: The skill executes the shell command
git diffto identify files for review. This grants the skill the ability to read project state and file metadata directly from the host system. - [PROMPT_INJECTION]: Susceptibility to Indirect Prompt Injection.
- Ingestion points: The skill ingests untrusted source code through
git diffor file selection (SKILL.md, line 34). - Boundary markers: Absent. No XML tags, delimiters, or 'ignore' instructions are provided to separate the untrusted code data from the agent's core instructions.
- Capability inventory: Reading local file contents and system state via
git diff. - Sanitization: Absent. The agent is instructed to analyze and interpret the untrusted code content directly without validation.
- [COMMAND_EXECUTION]: The skill implements dynamic tool discovery via
ToolSearch("mcp")and attempts to use discovered tools likemcp__x__ask_codex. This allows the skill to potentially interact with tools that are not explicitly declared in its manifest, leading to capability expansion at runtime based on the environment.
Audit Metadata