review-team
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it processes untrusted code, diffs, and repository context.
- Ingestion points: In
SKILL.md, the 'Launch Pattern' explicitly directs the agent to provide the 'diff or changed files to review' and 'test results, logs... or relevant repository context' as input to subagents. - Boundary markers: Absent. The instructions do not specify the use of delimiters (e.g., XML tags or unique separators) or 'ignore embedded instructions' warnings when passing untrusted code to the subagents.
- Capability inventory: The skill possesses significant capabilities in 'iterate' mode, including the ability to 'Implement fixes directly' (file writing) and 'Run tests or checks appropriate to the changes' (command execution).
- Sanitization: Absent. There is no instruction to escape or validate the content of the diffs or files before they are processed by the LLM subagents.
- [COMMAND_EXECUTION]: The instructions in
SKILL.mdfor 'Iterate Mode' authorize the agent to 'Run tests or checks appropriate to the changes.' While intended for legitimate verification, this capability could be abused if an attacker embeds malicious instructions within a code comment or documentation that the agent then follows during the fixing or testing phase.
Audit Metadata