review
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on several local bash scripts (e.g.,
find-artifact.sh,find-solution.sh,scope-drift.sh) located in~/.claude/skills/nanostack/bin/to manage review context and artifacts. - [COMMAND_EXECUTION]: It defines a
PostToolUsehook that executes a local shell script (./review/bin/suggest-security.sh) to scan for modifications in security-sensitive files (e.g.,.env,Dockerfile,auth). - [COMMAND_EXECUTION]: The skill explicitly instructs the agent to 'AUTO-FIX' mechanical code issues, which grants the agent authority to perform write operations and modify the user's local source files.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests and processes untrusted data from code diffs and plan artifacts.
- Ingestion points: Code changes retrieved via
git diffand planning artifacts loaded fromfind-artifact.sh(documented inSKILL.md). - Boundary markers: The instructions lack explicit boundary markers or 'ignore embedded instructions' warnings for the data being reviewed.
- Capability inventory: The skill has significant local capabilities, including the ability to modify source code (auto-fix) and execute multiple shell scripts.
- Sanitization: There is no evidence of sanitization or validation of the content ingested from the external files or artifacts.
Audit Metadata