review-change
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection by ingesting untrusted data from the user's working tree (source code and git diffs).
- Ingestion points: Code changes and untracked files are collected in Phase 0 and Phase 1 using
git diffand file reading operations. - Boundary markers: The collected data is organized under markdown headers (e.g.,
### Diff), but the skill lacks explicit escaping mechanisms or instructions to the model to ignore potential malicious instructions embedded within the analyzed code. - Capability inventory: The skill invokes specialized sub-agents via
TaskandSkill(e.g.,/review-security) which receive and process the ingested content. - Sanitization: There is no evidence of input filtering or sanitization applied to the repository content before it is processed by the LLM.
Audit Metadata