adversarial-review
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically constructs shell commands in
SKILL.mdusing placeholders such as{{TARGET_DIR}},{{PLAN_FILE}}, and{{FILLED_PROMPT}}. For example:claude --print --model opus ... "{{FILLED_PROMPT}}". If any of these variables contain shell metacharacters or maliciously crafted strings from a user or a file, it could lead to arbitrary command execution on the host system. - [DATA_EXFILTRATION]: The fallback workflow in
SKILL.mdinvokes the Claude CLI with theBashtool enabled (--tools "Read,Grep,Glob,Bash"). While the skill attempts to disallow write tools, the availability ofBashcombined with read access to the directory tree (--add-dir "{{TARGET_DIR}}") allows a potentially compromised sub-process to exfiltrate sensitive data via network requests or shell commands. - [REMOTE_CODE_EXECUTION]: The skill instructs the agent to execute the
claudecommand-line tool with user-provided or file-derived inputs. This constitutes a dynamic execution pattern where external data influences the execution of a powerful local CLI tool. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from a codebase for review purposes.
- Ingestion points: Reads contents from the implementation directory (
{{TARGET_DIR}}) and a plan/spec file ({{PLAN_FILE}}) as defined inSKILL.mdandreferences/prompt-template.md. - Boundary markers: The
references/prompt-template.mduses placeholders but does not implement robust boundary markers or "ignore embedded instructions" guards to prevent the reviewer model from following instructions found within the code being audited. - Capability inventory: The delegated process is granted
Read,Grep,Glob, andBashcapabilities. - Sanitization: There is no evidence of sanitization, escaping, or validation of the external content before it is passed to the reviewer model.
Audit Metadata