review-security
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process data from external, untrusted sources such as code diffs and pull request comments.
- Ingestion points: Data enters the agent's context through 'git diff' and 'gh pr diff' commands, as well as by reading comments from the pull request (as described in 'references/trust-policy.md').
- Boundary markers: The instructions lack explicit delimiters or 'ignore' markers to separate untrusted data from the agent's primary instructions.
- Capability inventory: The agent has a significant capability surface, including access to multiple command-line tools for repository management and package auditing via Bash.
- Sanitization: There is no evidence of data sanitization or escaping performed on external inputs prior to processing.
- [COMMAND_EXECUTION]: The skill relies on the execution of various shell-based auditing tools which interact with the local repository environment.
- Evidence: It executes tools like 'npm audit', 'pip-audit', 'cargo audit', 'gitleaks', and 'semgrep'. While used for security purposes, these tools involve executing logic against project files.
- [DATA_EXFILTRATION]: The skill's primary objective involves identifying and extracting sensitive information such as hardcoded secrets and credentials.
- Evidence: Phase 3 of the 'SKILL.md' file defines regex patterns to detect AWS keys, Stripe tokens, and private keys. This process intentionally brings sensitive data into the agent's context for evaluation.
Audit Metadata