deep-review
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFE
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to process untrusted data, specifically pull request diffs and source code files, as part of its 'Workflow Phase 1'. This creates a surface for indirect prompt injection if an attacker embeds malicious instructions within code comments or string literals.
- Ingestion points: Processes PR diffs, local file changes, and related project context.
- Boundary markers: No explicit instruction delimiters (like XML tags or specific 'ignore instructions in data' warnings) are defined for the agent to separate user code from the skill's own instructions.
- Capability inventory: The skill only produces text-based analysis and does not have access to tools for code execution, file writing, or network operations.
- Sanitization: No sanitization or filtering of input data is defined.
- Mitigation: The adversarial nature of the 'Skeptic' persona, which is instructed to look for 'bugs, edge cases, and malicious inputs', acts as a logical defense against injection attempts.
- [SAFE]: The skill is 'Shape: .S..', meaning it consists entirely of instructions (SKILL.md) and metadata (plugin.json) without associated executable scripts or binaries. It does not perform any environment modifications or remote operations.
Audit Metadata