document-review
Pass
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted document content, creating a risk of indirect prompt injection.
- Ingestion points: Document content is read from user-provided local paths in Phase 1 and injected into sub-agent prompts via the {document_content} variable in
references/subagent-template.md. - Boundary markers: Document content is wrapped in
<review-context>tags within the sub-agent prompt template, providing a basic delimiter that can be bypassed by sophisticated instructions. - Capability inventory: The skill possesses the ability to read and edit files on the filesystem and to dispatch further agents via platform-specific tools.
- Sanitization: No explicit escaping or validation of the document content is performed before it is interpolated into sub-agent instructions.
- [COMMAND_EXECUTION]: The skill performs automated file modifications using platform-specific editing tools based on LLM-generated content.
- Evidence: Phase 4 of
SKILL.mdspecifies that 'auto-fixes' (findings classified as 'auto' by sub-agents) are applied inline to the document using the platform's editing tool without requiring user approval or interactive review. - Risk: An attacker-controlled document could use indirect prompt injection to influence a sub-agent into generating a harmful change (e.g., deleting content or inserting malicious instructions) and classifying it as an 'auto' fix, which the orchestrating agent would then apply silently.
Audit Metadata