codebase-review

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its core function of analyzing untrusted codebases combined with file-write capabilities.
  • Ingestion points: The skill reads external codebase files in Step 1 (package.json, etc.) and Step 3 (large source files > 600 LOC) into the agent's context.
  • Boundary markers: There are no specified delimiters or instructions to ignore embedded commands within the analyzed code.
  • Capability inventory: The skill utilizes ls, file-read operations, execution of SAST commands, and file-write operations to update SKILL.md and evals.json files.
  • Sanitization: No sanitization or validation logic is defined before findings are used to modify other skill definitions.
  • [COMMAND_EXECUTION]: In Step 2, the skill executes "SAST Commands" (Secrets, PII, Injection, Auth Coverage) which are defined in external reference files (common-security-audit/references/signals.md). This allows for the execution of shell commands where the payload is retrieved from secondary files.
  • [DYNAMIC_EXECUTION]: The "Skill Feedback Loop" in Step 4 instructs the agent to "Update that skill's SKILL.md with an Anti-Pattern rule". This is a self-modifying or cross-skill modifying behavior that allows the agent to rewrite its own or other skills' logic at runtime based on external data. If an attacker-controlled codebase triggers a specific "Critical" finding via indirect injection, it could potentially manipulate the agent into writing malicious instructions into the skill library.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 10:16 PM
Security Audit — agent-trust-hub — codebase-review