code-review
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it incorporates untrusted data from PR diffs and external URLs into its reasoning process without explicit boundary markers or sanitization.
- Ingestion points: Git diff results and data from external PR/ticket URLs in SKILL.md.
- Boundary markers: Absent; instructions do not specify ignoring embedded commands in data.
- Capability inventory: The skill can execute git commands, fetch network data, and modify local skill files (SKILL.md).
- Sanitization: No sanitization of ingested content is performed before processing.
- [COMMAND_EXECUTION]: The skill uses shell commands to identify changed files for review.
- Evidence: git diff origin/base...HEAD --name-only in SKILL.md.
- [EXTERNAL_DOWNLOADS]: The skill retrieves context and intent from external ticket management systems or PR URLs.
- Evidence: Instruction to fetch intent if a ticket key or PR URL exists in SKILL.md.
Audit Metadata