autoreview
Fail
Audited by Gen Agent Trust Hub on Jul 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The helper script executes arbitrary shell commands defined in the environment or project configuration (such as
ci:staticscripts within apackage.json) usingbash -lc, which can be exploited if project files are compromised. - [COMMAND_EXECUTION]: The script permits the specification of paths to arbitrary executable binaries through command-line arguments (e.g.,
--codex-bin,--claude-bin), which are subsequently executed with parameters. - [COMMAND_EXECUTION]: The skill is configured to explicitly bypass safety sandboxes and user approval requirements by default when invoking the
codextool, utilizing high-privilege flags including--dangerously-bypass-approvals-and-sandboxand--sandbox danger-full-access. - [DATA_EXFILTRATION]: The skill collects local repository data, including source code changes and diffs, and transmits this information to various external-facing CLI tools and LLM service providers during the review process.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from repository diffs and interpolates it into LLM prompts without sufficient sanitization or robust boundary markers.
- Ingestion points: The
diff_for_reviewfunction inscripts/autoreviewgathers git diffs, status, and untracked file content. - Boundary markers: Absent; the
build_prompt_filefunction uses only a simple "Diff:" header to separate instructions from untrusted data. - Capability inventory: The script possesses significant capabilities including shell execution via
bash -lc, file system writes viatee, and the ability to run binaries with sandbox bypasses. - Sanitization: No sanitization or escaping is performed on the ingested diff content before it is placed in the prompt.
Recommendations
- AI detected serious security threats
Audit Metadata