lisa-review-project
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a shell command (
diff -u) using file paths derived directly from the.lisa-manifestfile in the target project. If an attacker provides a manifest containing shell metacharacters such as backticks or command substitution (e.g.,$(cmd)), the agent may execute arbitrary commands when attempting to generate a diff. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the target project to drive its logic and reporting.
- Ingestion points: The
.lisa-manifest,package.json, and the content of all files compared during the drift analysis. - Boundary markers: No delimiters or instructions are used to separate untrusted data from the agent's core instructions.
- Capability inventory: The skill possesses the ability to read arbitrary files, execute subprocesses via the
diffcommand, and write files to the local repository using the Write tool. - Sanitization: No sanitization, escaping, or validation of the manifest entries or project file contents is performed before they are processed or written back to the source repository.
- [COMMAND_EXECUTION]: The 'Adopt Improvements' feature allows the agent to write files from an untrusted target project into the main Lisa source repository. While this requires user confirmation, it provides a mechanism for malicious code to be persisted into the primary template repository if a user is misled by the agent's analysis.
Audit Metadata