review
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to verify that dependency resolution commands like
npm ciorpip installcomplete without errors (Step 2). Executing these commands on untrusted project files is a potential vector for remote code execution through malicious post-install scripts or compromised dependencies. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it processes untrusted data and has code-modification capabilities.
- Ingestion points: The agent is instructed to read every file relevant to the project, including code and documentation (SKILL.md, Step 3).
- Boundary markers: There are no instructions or delimiters provided to prevent the agent from obeying commands embedded within the reviewed files.
- Capability inventory: The agent can write to the workspace to create a
REVIEW.mdfile and has the authority to modify project source code to fix findings (Step 4 and 5). - Sanitization: No validation or sanitization of the content from the analyzed files is performed before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill requires the agent to perform broad workspace scans and allows it to rewrite files if the user accepts a fix (Step 5). This grants the agent substantial autonomy over the local environment based on potentially untrusted input.
Audit Metadata