arch
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core functionality of analyzing external and potentially untrusted code artifacts.
- Ingestion points: The agent ingests data from external sources (PR diffs, repository files) using the
ghCLI and theReadtool as part of the PR review protocol defined inSKILL.mdandSYSTEM_PROMPT.md. - Boundary markers: The instructions lack explicit boundary markers or directives to treat content within diffs and external files purely as data, which may lead the agent to follow instructions embedded in analyzed code.
- Capability inventory: The skill's metadata allows access to the
BashandWritetools, providing a significant capability surface if an injection attack were successful. - Sanitization: There is no evidence of content sanitization or pre-processing to filter or escape potential injection patterns from external data before it enters the LLM context.
Audit Metadata