open-code-review

Fail

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The installation script (scripts/install.sh) executes a remote shell script using the sh -c "$(curl ...)" pattern. The source is the official repository of a well-known technology provider.
  • [EXTERNAL_DOWNLOADS]: The skill downloads the ocr CLI and its installer from the alibaba/open-code-review GitHub repository. It also supports installation via the global NPM registry.
  • [COMMAND_EXECUTION]: The scripts/install.sh script utilizes sudo to install the binary to /usr/local/bin when direct write access is unavailable. The scripts/run-review.sh and scripts/run-scan.sh scripts wrap the execution of the ocr binary, passing user-supplied arguments to the tool.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data (git diffs and whole code files) and passes them to an LLM via the ocr CLI.
  • Ingestion points: Untrusted source code files and Git diffs are read by the run-review.sh and run-scan.sh scripts and passed to the review CLI.
  • Boundary markers: Not explicitly defined in the wrapper scripts.
  • Capability inventory: The skill is authorized to use Bash, Read, Write, and Edit tools, allowing it to modify code based on the tool's findings.
  • Sanitization: None; the skill relies on the external CLI's internal handling and the agent's interpretation of its output.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/${REPO}/main/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 2, 2026, 07:31 AM
Security Audit — agent-trust-hub — open-code-review