review-comments
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes hardcoded shell commands
git diff --cached --name-onlyandgit diff --name-onlyto identify staged and changed files for processing. These are legitimate operations for the skill's purpose. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted content from source code comments and uses an LLM to generate code changes or refactors based on that content. A malicious actor could craft a comment that instructs the agent to introduce a backdoor or modify logic under the guise of a code refactor, especially when the
--fixflag is used for automated application of changes. - Ingestion points: Local source files identified via glob patterns or git status.
- Boundary markers: The sub-agent prompt utilizes delimiters for the file list but lacks specific instructions to disregard instructions embedded within the comments themselves.
- Capability inventory: The skill possesses file reading, sub-agent task spawning, and code modification (Edit tool) capabilities.
- Sanitization: There is no evidence of sanitization or content validation performed on the comments before they are interpreted for refactoring suggestions.
Audit Metadata