cross-review
Pass
Audited by Gen Agent Trust Hub on Jun 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The instructions in
SKILL.mdutilize authoritative language such as "Reflexive Trigger Rule (binding on every agent)," "reflex, not a request," and "STOP" to override the agent's default operational guidelines and enforce a mandatory governance workflow. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests
git diffoutput and passes it to reviewer models (Strata A and B). Malicious content within the diff (e.g., code comments containing instructions) could manipulate the reviewer's scoring or approval verdict. - Ingestion points:
scripts/cross-review.shcaptures diff content viagit diffand stores it in/tmp/cross-review-diff.patchfor processing. - Boundary markers: The prompts defined in
references/rubric.mddo not utilize robust boundary markers or "ignore embedded instructions" warnings for the attached diff content. - Capability inventory: The skill dispatches other agents and skills, executes shell commands, and interacts with the filesystem.
- Sanitization: No sanitization or escaping is performed on the diff data before it is presented to the reviewer models.
- [COMMAND_EXECUTION]: The shell script
scripts/cross-review.shexecutes local system commands includinggitand a third-party CLI toolcodexto perform analysis and cross-model evaluation.
Audit Metadata