adversarial-review
Pass
Audited by Gen Agent Trust Hub on Jun 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs and runs shell commands such as
git diff,claude,codex, andjustusing user-provided variablesBASEandSCOPE. While the instructions specify shell-safe techniques like bash arrays andprintf %qquoting, the execution of commands based on user-controlled inputs remains a potential vulnerability surface. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it processes untrusted diff content. \n- Ingestion points: The output of
git diffis directly interpolated into model prompts inSKILL.md(Phase 1). \n- Boundary markers: The skill uses markdown headers but lacks robust, unique delimiters or instructions to the model to ignore embedded commands within the diff. \n- Capability inventory: The orchestrating agent has the ability to execute shell commands and interact with network-enabled model CLIs. \n- Sanitization: There is no evidence of sanitization or filtering of the code diff before it is included in the prompt context.
Audit Metadata