ai-code-review
Pass
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted content from
git diffwithout employing boundary markers or instructions to ignore embedded commands. - Ingestion points:
SKILL.md(via shell execution ofgit diff main...HEAD). - Boundary markers: Absent; there are no delimiters or warnings to treat the diff content as untrusted data.
- Capability inventory: The skill possesses significant capabilities including local filesystem modification (
Write,Edit,Readtools), directory listing (ls), and network operations viagit push. - Sanitization: No sanitization or filtering is performed on the code content before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill executes multiple shell commands to interact with git and the filesystem. It includes an automated
git pushcommand to synchronize the local Obsidian vault with its remote origin. While this is part of the skill's stated functionality, automated push operations on user repositories carry a risk of unintended data transmission if the repository configuration is modified or if branch names are manipulated to interfere with command strings.
Audit Metadata