review-interfaces
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its core functionality of ingesting and analyzing untrusted source code.
- Ingestion points: Source files are read from the conversation context, staged changes (via
git diff), or the full codebase (via globbing) as specified inSKILL.md. - Boundary markers: There are no instructions to use delimiters or protective wrappers (e.g., XML tags or specific 'ignore instructions' prefixes) when passing the ingested code to the agent or its sub-agents.
- Capability inventory: The skill workflow explicitly instructs the agent to 'spawn one sub-agent per category' to parallelize the review. Malicious instructions embedded in the code being reviewed could potentially influence these sub-agents.
- Sanitization: The skill lacks logic to sanitize or validate the content of the files before processing them.
- [COMMAND_EXECUTION]: The skill uses local shell commands to determine the scope of its review.
- Evidence: It executes
git diff --cached --name-onlyto identify staged changes in the repository. This is a benign use of command execution intended for the skill's primary purpose.
Audit Metadata