code-review
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides comprehensive instructions for code quality and security audits, referencing established guidelines such as the OWASP Top 10 and Google's Engineering Practices.
- [SAFE]: A placeholder credential ('sk-1234567890abcdef') is included in the documentation as an example of a security anti-pattern (hardcoded secrets). This is for educational purposes and does not constitute a credential leak.
- [SAFE]: Tool access is appropriately limited to read-only operations ('Read', 'Grep', 'Glob') via the platform's 'allowed-tools' configuration, preventing unauthorized filesystem modifications or network activity.
- [SAFE]: Indirect Prompt Injection Analysis: The skill processes external code and pull request data which presents a surface for indirect prompt injection. However, the risk is mitigated by the lack of write or network capabilities, restricting any potential impact to the current session's logic.
- Ingestion points: PR descriptions and code files accessed via 'Read' and 'Glob' tools.
- Boundary markers: Absent.
- Capability inventory: 'Read', 'Grep', 'Glob' (read-only tools).
- Sanitization: None detected.
Audit Metadata