code-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Prompt Injection] (HIGH): The skill is susceptible to indirect prompt injection. It processes untrusted data (code changes) from git diffs and repository files as part of its core functionality. Ingestion points: 'git diff' commands and files accessed via Read/Grep/Glob tools. Boundary markers: Absent; there are no instructions to isolate ingested code or disregard embedded instructions. Capability inventory: The skill utilizes the 'Bash' tool, which allows for arbitrary command execution. Sanitization: Absent; content is processed without filtering. An attacker could embed instructions in a file or pull request that the agent would then execute.
- [Command Execution] (MEDIUM): The use of the Bash tool for environment interaction, while functional, provides the necessary primitive for an indirect prompt injection attack to achieve system-level impact.
Recommendations
- AI detected serious security threats
Audit Metadata