adversarial-review

Warn

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill dynamically constructs shell commands in SKILL.md using placeholders such as {{TARGET_DIR}}, {{PLAN_FILE}}, and {{FILLED_PROMPT}}. For example: claude --print --model opus ... "{{FILLED_PROMPT}}". If any of these variables contain shell metacharacters or maliciously crafted strings from a user or a file, it could lead to arbitrary command execution on the host system.
  • [DATA_EXFILTRATION]: The fallback workflow in SKILL.md invokes the Claude CLI with the Bash tool enabled (--tools "Read,Grep,Glob,Bash"). While the skill attempts to disallow write tools, the availability of Bash combined with read access to the directory tree (--add-dir "{{TARGET_DIR}}") allows a potentially compromised sub-process to exfiltrate sensitive data via network requests or shell commands.
  • [REMOTE_CODE_EXECUTION]: The skill instructs the agent to execute the claude command-line tool with user-provided or file-derived inputs. This constitutes a dynamic execution pattern where external data influences the execution of a powerful local CLI tool.
  • [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from a codebase for review purposes.
  • Ingestion points: Reads contents from the implementation directory ({{TARGET_DIR}}) and a plan/spec file ({{PLAN_FILE}}) as defined in SKILL.md and references/prompt-template.md.
  • Boundary markers: The references/prompt-template.md uses placeholders but does not implement robust boundary markers or "ignore embedded instructions" guards to prevent the reviewer model from following instructions found within the code being audited.
  • Capability inventory: The delegated process is granted Read, Grep, Glob, and Bash capabilities.
  • Sanitization: There is no evidence of sanitization, escaping, or validation of the external content before it is passed to the reviewer model.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 20, 2026, 08:37 PM