Skills
skills/security-phoenix-demo/security-skills-claude-code/security-reviewer/Gen Agent Trust Hub

security-reviewer

Fail

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: CRITICALPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface within its automation hooks, which ingest untrusted content from the project being reviewed.
  • Ingestion points: session-start.sh reads project manifest files (e.g., package.json, requirements.txt) and dependency audit logs. post-edit-quickscan.sh reads source code snippets from any file modified by the user.
  • Boundary markers: Injected findings are delimited by markdown headers (e.g., ## SECURITY QUICK-SCAN), though the agent is not explicitly instructed to ignore potentially malicious commands within those blocks.
  • Capability inventory: The agent has access to several powerful tools including Bash for command execution, Read for file access, and Edit for file modification.
  • Sanitization: The hooks use JSON encoding for data safety during transmission, but no semantic sanitization is performed on the ingested code or metadata to neutralize potential injection instructions.
Recommendations
  • CRITICAL: 1 infected file(s) detected - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 19, 2026, 01:12 AM
Security Audit — agent-trust-hub — security-reviewer