review-skill
Pass
Audited by Gen Agent Trust Hub on Jun 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes the full content of external, untrusted skill files from Pull Requests.
- Ingestion Points: The workflow in Step 3 explicitly reads
SKILL.mdand all related references and scripts in the target directory (Read the full SKILL.md,Read all files in the skill directory). - Capability Inventory: The agent has the capability to write findings to a file system path (
$ARGUMENTS) and invoke other skills (review-verification-protocol), providing a mechanism for an injection to influence reporting or further execution steps. - Boundary Markers: The instructions do not specify the use of delimiters (e.g., XML tags or triple backticks) or 'ignore' instructions to isolate the content of the skill being reviewed from the reviewer's own operational guidelines.
- Sanitization: There is no logic provided to sanitize or escape the content of the ingested files before the agent applies the structural, design, and marketplace checks.
- [COMMAND_EXECUTION]: The skill utilizes shell commands to interact with the repository's git metadata.
- Evidence: Step 2 executes
git diff --name-only $(git merge-base HEAD <base>)..<HEAD> | grep -E '(SKILL\.md|skills/[^/]+/)'to identify changed files. - Context: These operations are standard for a development-focused review skill and are restricted to identifying file paths for processing.
Audit Metadata