codebase-review
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its core function of analyzing untrusted codebases combined with file-write capabilities.
- Ingestion points: The skill reads external codebase files in Step 1 (
package.json, etc.) and Step 3 (large source files > 600 LOC) into the agent's context. - Boundary markers: There are no specified delimiters or instructions to ignore embedded commands within the analyzed code.
- Capability inventory: The skill utilizes
ls, file-read operations, execution of SAST commands, and file-write operations to updateSKILL.mdandevals.jsonfiles. - Sanitization: No sanitization or validation logic is defined before findings are used to modify other skill definitions.
- [COMMAND_EXECUTION]: In Step 2, the skill executes "SAST Commands" (Secrets, PII, Injection, Auth Coverage) which are defined in external reference files (
common-security-audit/references/signals.md). This allows for the execution of shell commands where the payload is retrieved from secondary files. - [DYNAMIC_EXECUTION]: The "Skill Feedback Loop" in Step 4 instructs the agent to "Update that skill's SKILL.md with an Anti-Pattern rule". This is a self-modifying or cross-skill modifying behavior that allows the agent to rewrite its own or other skills' logic at runtime based on external data. If an attacker-controlled codebase triggers a specific "Critical" finding via indirect injection, it could potentially manipulate the agent into writing malicious instructions into the skill library.
Audit Metadata