Skills
skills/openhands/skills/code-review/Gen Agent Trust Hub

code-review

Pass

Audited by Gen Agent Trust Hub on May 6, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as its primary function is to process and analyze untrusted content (code changes and PR descriptions). Specifically, the 'Review Self-Improvement Message' instructs the agent to read and follow instructions from a .agents/skills/custom-codereview-guide.md file provided within the PR branch. An attacker could use this file to override the agent's core instructions or bypass security checks.
  • Ingestion points: PR code diffs, PR descriptions, and the custom-codereview-guide.md file.
  • Boundary markers: None identified; the agent is instructed to incorporate context from the custom guide directly.
  • Capability inventory: The skill provides feedback and analysis but is explicitly instructed not to modify code. It relies on the agent's ability to read files and post comments.
  • Sanitization: No evidence of sanitization or escaping for the processed PR data or custom instructions.
  • [DATA_EXFILTRATION]: The skill instructs the agent to include links to originating conversations (e.g., https://app.all-hands.dev/conversations/{conversation_id}) in its output. While this involves sending internal identifiers to a remote URL, the domain belongs to the vendor (OpenHands) and is used for legitimate workflow linking.
  • [COMMAND_EXECUTION]: Scenario 5 in SKILL.md instructs the agent to check the system clock using the date command to verify the current year for CVE evaluations. This is a legitimate functional requirement for accurate security analysis.
Audit Metadata
Risk Level
SAFE
Analyzed
May 6, 2026, 04:39 AM