copilot-review-init
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFENO_CODE
Full Analysis
- [SAFE]: The skill package is composed entirely of Markdown documentation and reference templates. No executable scripts (.js, .py, .sh), binaries, or automated network code are included.
- [COMMAND_EXECUTION]: The instructions guide the agent to perform local repository discovery and file size verification (e.g., using
lsandwc) to ensure that generated configuration files remain within Copilot's processing limits. These operations are legitimate and necessary for the skill's functionality. - [PROMPT_INJECTION]: The skill requires the agent to ingest existing repository documentation and instruction files. While this creates a surface for indirect prompt injection from malicious repositories, the skill explicitly provides a validation phase (Phase 4) with a checklist to ensure the agent's output is safe and strictly follows the intended format.
- [EXTERNAL_DOWNLOADS]: Documentation references the author's other GitHub repositories and the
npxcommand for installation. These are for manual user setup and reference and are not executed by the skill during runtime.
Audit Metadata