code-security-audit

Pass

Audited by Gen Agent Trust Hub on Jul 3, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill processes untrusted pull request diffs and file contents which are interpolated into prompts sent to the Claude Code CLI, creating an indirect prompt injection surface.
  • Ingestion points: claudecode/prompts.py (variables pr_diff and files_changed).
  • Boundary markers: Markdown code blocks (triple backticks) are used to delimit diff content.
  • Capability inventory: The skill can execute the claude CLI, which has access to file system tools and can perform network operations via Anthropic's API.
  • Sanitization: No explicit escaping or sanitization of the diff content is performed before interpolation.
  • [COMMAND_EXECUTION]: The skill uses subprocess.run() to execute standard development tools and its core analysis engine.
  • Evidence: claudecode/github_action_audit.py executes the claude CLI; claudecode/evals/eval_engine.py executes git commands and the Python audit script.
  • Context: These operations are necessary for the skill's primary function of fetching code and running AI-driven security scans.
  • [EXTERNAL_DOWNLOADS]: The GitHub Action workflow installs dependencies from trusted public registries.
  • Evidence: action.yml uses pip to install requirements and npm to install the @anthropic-ai/claude-code package.
  • Context: All packages are from well-known sources (Anthropic, PyPI).
  • [SAFE]: The skill uses the !command`` syntax to inject git metadata into its analysis context for local git operations.
  • Evidence: assets/security-review-command.md contains !git status, `!`git diff, and !git log`` commands.
  • Context: These are benign git operations used to provide current project state to the AI agent during a review.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 3, 2026, 08:06 AM
Security Audit — agent-trust-hub — code-security-audit