code-review

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it incorporates untrusted data from PR diffs and external URLs into its reasoning process without explicit boundary markers or sanitization.
  • Ingestion points: Git diff results and data from external PR/ticket URLs in SKILL.md.
  • Boundary markers: Absent; instructions do not specify ignoring embedded commands in data.
  • Capability inventory: The skill can execute git commands, fetch network data, and modify local skill files (SKILL.md).
  • Sanitization: No sanitization of ingested content is performed before processing.
  • [COMMAND_EXECUTION]: The skill uses shell commands to identify changed files for review.
  • Evidence: git diff origin/base...HEAD --name-only in SKILL.md.
  • [EXTERNAL_DOWNLOADS]: The skill retrieves context and intent from external ticket management systems or PR URLs.
  • Evidence: Instruction to fetch intent if a ticket key or PR URL exists in SKILL.md.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 10:17 PM
Security Audit — agent-trust-hub — code-review