review
Warn
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The software review dimensions include a verification step to ensure that dependency installation commands, such as
pip installornpm ci, complete without errors. Executing these commands on an untrusted workspace can trigger malicious scripts embedded in configuration files, such aspackage.jsonpreinstall scripts or code insetup.py, leading to arbitrary code execution on the host system.\n- [COMMAND_EXECUTION]: The skill utilizes theBashtool to perform project analysis and fix identified issues. The instruction to verify command completion for package managers involves the execution of shell commands on data provided by the untrusted project workspace.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes arbitrary files from the workspace to generate findings and recommendations. Maliciously crafted content within the reviewed files could manipulate the agent's behavior, leading it to generate incorrect fixes or perform unauthorized actions.\n - Ingestion points: The agent is instructed to scan and read every relevant file in the project workspace (SKILL.md, Step 3).\n
- Boundary markers: The instructions do not define delimiters or specify that the agent should ignore instructions embedded within the project files.\n
- Capability inventory: The agent has access to
Bash,Write, andEdittools, which could be abused if the agent's logic is subverted by malicious file content.\n - Sanitization: No sanitization or validation mechanisms are described for the content of the project files before they are processed by the agent.
Audit Metadata