review-work
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface as it processes untrusted content from source files, diffs, and external communication channels and passes them to sub-agents.\n
- Ingestion points: File contents, git diffs, and retrieved content from Slack, Notion, and GitHub issues are used as prompt context.\n
- Boundary markers: The skill employs XML tags (e.g., <file_contents>, , <original_goal>) to delimit external data from core instructions.\n
- Capability inventory: The skill can spawn sub-agents, execute git/gh commands, and run user-defined application start commands.\n
- Sanitization: It includes explicit instructions to redact sensitive information such as tokens, API keys, and PII before sharing review results.\n- [COMMAND_EXECUTION]: The skill uses shell commands for review orchestration and verification.\n
- It uses git commands for context gathering and creates isolated git worktrees to avoid polluting the main environment.\n
- The QA sub-agent is designed to execute the application's own build or run scripts to verify functionality.\n- [DATA_EXFILTRATION]: The skill reads data from local source code and well-known communication platforms.\n
- It accesses GitHub, Slack, and Notion to ensure implementations align with historical decisions and documented requirements. This access is performed within the local agent context using standard integration tools.
Audit Metadata