code-reviewer
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool and a local Python script to execute Git commands, including 'git diff' and 'git log', to gather pull request context. This behavior is essential for its primary function of code review.\n- [DATA_EXFILTRATION]: The skill configuration allows access to WebFetch and WebSearch tools. This provides the agent with the capability to perform network requests to non-whitelisted domains, which could potentially be used as an exfiltration channel if the agent is manipulated by malicious code found in a pull request.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted data from repository diffs and file contents.\n
- Ingestion points: The skill reads external content via 'git diff', 'git log', and file reading operations (SKILL.md, scripts/review_checklist.py).\n
- Boundary markers: The instructions define a structured output format for the review but lack explicit directives to ignore or isolate instructions embedded within the code being analyzed.\n
- Capability inventory: The skill has access to shell execution (Bash) and network operations (WebFetch, WebSearch), creating a high-impact surface if an injection occurs.\n
- Sanitization: There is no evidence of input validation, escaping, or sandboxing of the repository data before it enters the agent's context.
Audit Metadata