ai-review
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructions (SKILL.md) direct the agent to execute 'cat ~/.ai-review/credentials.json'. This file contains GitLab Personal Access Tokens in plaintext, which exposes the user's primary authentication secrets directly into the LLM's conversation context.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it fetches and processes external, untrusted data (GitLab Merge Request diffs) that can contain hidden instructions for the agent.
- Ingestion points: The agent reads code diffs from the file '~/.ai-review/mr-context.json' which is populated via the 'ai-review get-context' command.
- Boundary markers: There are no delimiters or explicit instructions provided to the agent to treat the diff content as data only and to ignore any natural language instructions embedded within comments or code.
- Capability inventory: The agent has access to 'Bash', 'Read', and 'Write' tools, allowing it to execute arbitrary shell commands or exfiltrate data if manipulated.
- Sanitization: No sanitization or filtering of the Merge Request content is performed before it is presented to the agent.
- [EXTERNAL_DOWNLOADS]: The documentation (README.md) encourages users to download pre-built binary executables from the author's GitHub repository ('github.com/zawlinnnaing/ai-review-cli/releases').
- [COMMAND_EXECUTION]: The installation guide requires the use of 'sudo' to move binaries into system directories and 'chmod +x' to modify file permissions, which are high-privilege operations.
Audit Metadata