review-code
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it reads files from the repository being reviewed (such as AGENTS.md and .chalk/docs/engineering/*) to determine coding conventions. These files are untrusted and could contain instructions designed to influence the agent's review logic or behavior. Ingestion points: Workflow steps 1 and 2 (SKILL.md) read repo-level files. Boundary markers: Absent. There are no instructions to the agent to treat external file content as untrusted or to ignore embedded instructions. Capability inventory: Access to Bash, Read, Glob, and Grep tools. Sanitization: Absent. The content is consumed directly as instructional context.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute 'git' and 'gh' commands with user-provided arguments like PR numbers and branch names. This pattern involves interpolating input directly into shell command strings (e.g., 'git diff main...'), which creates a potential surface for shell injection if the agent environment does not handle argument isolation correctly.
Audit Metadata