ai-code-reviewer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is vulnerable to indirect prompt injection because it interpolates untrusted
git diffcontent directly into the LLM prompt inscripts/run_review.py. An attacker could include instructions in a code comment (e.g., 'REVIEW_PASSED') to bypass the security review.- Ingestion points:
scripts/run_review.pyviaget_git_diff()function which reads untrusted diff data. - Boundary markers: Uses weak triple-backtick delimiters (```) which are easily escaped within code content.
- Capability inventory: The skill influences the success or failure of a git commit (blocking capability) and outputs results to the console.
- Sanitization: No sanitization or escaping of the diff content was detected before interpolation.
- Ingestion points:
- [Persistence] (MEDIUM): The
scripts/install_hook.pyscript modifies the project's.git/hooksdirectory to installpre-commitorpre-pushhooks. This ensures the tool runs automatically during the git lifecycle, which is a persistence mechanism within the development environment. - [Command Execution] (LOW): The scripts
scripts/run_review.pyandscripts/load_rules.pyexecute external commands likegitand theclaudeCLI viasubprocess.run. While necessary for functionality, this relies on the integrity of the local environment's PATH. - [External Downloads] (INFO): The skill references and requires the
anthropicPython package and the@anthropic-ai/claude-cliNode.js package. These are categorized as LOW/INFO because they originate from a Trusted Source (Anthropic) per the [TRUST-SCOPE-RULE].
Recommendations
- AI detected serious security threats
Audit Metadata