Skills
skills/chanmuzi/git-conventions/code-review/Gen Agent Trust Hub

code-review

Warn

Audited by Gen Agent Trust Hub on Mar 31, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill dynamically locates and executes a JavaScript file (codex-companion.mjs) from a computed local path (~/.claude/plugins/cache/openai-codex) using node. While this is intended for integration with the OpenAI Codex plugin, executing code from a dynamic filesystem path is a risk factor as it relies on the integrity of the plugin cache directory.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data that is then processed by other AI agents.
  • Ingestion points: PR descriptions, code diffs, and git history are read using gh pr view, gh pr diff, and git log in SKILL.md.
  • Boundary markers: The instructions do not specify any delimiters or safety warnings to distinguish untrusted data from agent instructions.
  • Capability inventory: The skill utilizes Bash (git, gh, node), Read, and Agent tools, which could be abused if the agent obeys instructions embedded in the code being reviewed.
  • Sanitization: No sanitization or validation of the external content is mentioned before it is passed to the domain agents (Security, Architecture, etc.).
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 31, 2026, 12:19 PM
Security Audit — agent-trust-hub — code-review