code-review
Fail
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: In the file
code-review-agent-prompt.md, the agent is directed to "Run the tests yourself" during the verification stage. This instruction leads the agent to execute arbitrary test runners (e.g.,npm test,pytest), which can be used to run malicious shell commands or binaries defined in the repository. - [REMOTE_CODE_EXECUTION]: The capability to execute code from a repository scope identified at runtime (the review scope) allows for remote code execution if the analyzed repository contains malicious payloads designed to exploit the agent's environment.
- [PROMPT_INJECTION]: The instructions in
code-review-agent-prompt.mdemploy aggressive steering language such as "The Iron Law," "DO NOT SKIP," and "No exceptions" to override the agent's default decision-making processes and force adherence to a complex methodology. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface: 1. Ingestion points: Files and git logs read during the DISCOVER and READ phases in
code-review-agent-prompt.md. 2. Boundary markers: Absent; no delimiters are provided to isolate untrusted code from instructions. 3. Capability inventory: The subagent has the authority to execute commands ("Run the tests") and write reports to the file system. 4. Sanitization: Absent; content from the review scope is ingested without validation or escaping.
Recommendations
- AI detected serious security threats
Audit Metadata