cross-model-review

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill is centered around executing external CLI tools to perform its primary function.
  • Evidence: instructions in SKILL.md direct the agent to invoke codex review, codex exec, and the claude CLI with various flags like -p and --allowedTools.
  • Evidence: The skill utilizes git diff and git show to extract code context for the review process.
  • [INDIRECT_PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by processing untrusted external data (code changes) and passing it to an LLM.
  • Ingestion points: git diff main...HEAD, git show <SHA>, and git diff output are ingested in SKILL.md patterns 1, 2, and 3.
  • Boundary markers: The prompts in references/prompts.md do not utilize robust delimiters or instructions to ignore embedded commands within the code under review.
  • Capability inventory: The commands suggested in SKILL.md grant the reviewer models capabilities such as Read, Glob, Grep, and Bash(git *) via the --allowedTools flag.
  • Sanitization: No sanitization or filtering of the code content is performed before it is sent to the reviewer CLI.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 11:39 PM
Security Audit — agent-trust-hub — cross-model-review