code-security-audit
Pass
Audited by Gen Agent Trust Hub on Jul 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted pull request diffs and file contents which are interpolated into prompts sent to the Claude Code CLI, creating an indirect prompt injection surface.
- Ingestion points:
claudecode/prompts.py(variablespr_diffandfiles_changed). - Boundary markers: Markdown code blocks (triple backticks) are used to delimit diff content.
- Capability inventory: The skill can execute the
claudeCLI, which has access to file system tools and can perform network operations via Anthropic's API. - Sanitization: No explicit escaping or sanitization of the diff content is performed before interpolation.
- [COMMAND_EXECUTION]: The skill uses
subprocess.run()to execute standard development tools and its core analysis engine. - Evidence:
claudecode/github_action_audit.pyexecutes theclaudeCLI;claudecode/evals/eval_engine.pyexecutesgitcommands and the Python audit script. - Context: These operations are necessary for the skill's primary function of fetching code and running AI-driven security scans.
- [EXTERNAL_DOWNLOADS]: The GitHub Action workflow installs dependencies from trusted public registries.
- Evidence:
action.ymlusespipto install requirements andnpmto install the@anthropic-ai/claude-codepackage. - Context: All packages are from well-known sources (Anthropic, PyPI).
- [SAFE]: The skill uses the
!command`` syntax to inject git metadata into its analysis context for local git operations. - Evidence:
assets/security-review-command.mdcontains!git status, `!`git diff, and!git log`` commands. - Context: These are benign git operations used to provide current project state to the AI agent during a review.
Audit Metadata