cross-model-review
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is centered around executing external CLI tools to perform its primary function.
- Evidence: instructions in
SKILL.mddirect the agent to invokecodex review,codex exec, and theclaudeCLI with various flags like-pand--allowedTools. - Evidence: The skill utilizes
git diffandgit showto extract code context for the review process. - [INDIRECT_PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by processing untrusted external data (code changes) and passing it to an LLM.
- Ingestion points:
git diff main...HEAD,git show <SHA>, andgit diffoutput are ingested inSKILL.mdpatterns 1, 2, and 3. - Boundary markers: The prompts in
references/prompts.mddo not utilize robust delimiters or instructions to ignore embedded commands within the code under review. - Capability inventory: The commands suggested in
SKILL.mdgrant the reviewer models capabilities such asRead,Glob,Grep, andBash(git *)via the--allowedToolsflag. - Sanitization: No sanitization or filtering of the code content is performed before it is sent to the reviewer CLI.
Audit Metadata