skills/openclaw/clawhub/autoreview/Gen Agent Trust Hub

autoreview

Fail

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The helper script executes arbitrary shell commands defined in the environment or project configuration (such as ci:static scripts within a package.json) using bash -lc, which can be exploited if project files are compromised.
  • [COMMAND_EXECUTION]: The script permits the specification of paths to arbitrary executable binaries through command-line arguments (e.g., --codex-bin, --claude-bin), which are subsequently executed with parameters.
  • [COMMAND_EXECUTION]: The skill is configured to explicitly bypass safety sandboxes and user approval requirements by default when invoking the codex tool, utilizing high-privilege flags including --dangerously-bypass-approvals-and-sandbox and --sandbox danger-full-access.
  • [DATA_EXFILTRATION]: The skill collects local repository data, including source code changes and diffs, and transmits this information to various external-facing CLI tools and LLM service providers during the review process.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from repository diffs and interpolates it into LLM prompts without sufficient sanitization or robust boundary markers.
  • Ingestion points: The diff_for_review function in scripts/autoreview gathers git diffs, status, and untracked file content.
  • Boundary markers: Absent; the build_prompt_file function uses only a simple "Diff:" header to separate instructions from untrusted data.
  • Capability inventory: The script possesses significant capabilities including shell execution via bash -lc, file system writes via tee, and the ability to run binaries with sandbox bypasses.
  • Sanitization: No sanitization or escaping is performed on the ingested diff content before it is placed in the prompt.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 10, 2026, 03:30 PM
Security Audit — agent-trust-hub — autoreview