Skills
skills/smallnest/goal-workflow/review-it/Gen Agent Trust Hub

review-it

Warn

Audited by Gen Agent Trust Hub on May 29, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The helper script scripts/review-it uses the eval command to execute arbitrary shell instructions passed via the --parallel-tests argument.
  • Evidence: The line eval "$TESTS" > /tmp/review-it-tests-$$.log 2>&1 & in scripts/review-it executes the content of the $TESTS variable in a subshell.
  • Risk: If an agent is manipulated into passing malicious strings to this argument, it results in arbitrary command execution on the host system.
  • [PROMPT_INJECTION]: The skill processes untrusted external data (git diffs) which serves as a surface for indirect prompt injection attacks.
  • Ingestion points: scripts/review-it generates a diff file at /tmp/review-it-$$.diff using git diff "$BASE"...HEAD and then instructs the agent to analyze it via /review.
  • Boundary markers: The skill instructions do not specify any delimiters or safety markers to differentiate between the diff content and the agent's instructions.
  • Capability inventory: The skill has access to the file system (read/write in /tmp), network (via git fetch and gh), and command execution (via eval).
  • Sanitization: No sanitization or filtering is performed on the diff content before it is processed by the agent.
  • [COMMAND_EXECUTION]: Use of predictable temporary filenames in a shared directory (/tmp).
  • Evidence: Use of the shell PID ($$) for filenames like /tmp/review-it-$$.diff and /tmp/review-it-tests-$$.log.
  • Risk: While common in scripts, using the PID for temporary files in /tmp can be susceptible to symlink attacks or race conditions in multi-user environments.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 29, 2026, 07:12 AM
Security Audit — agent-trust-hub — review-it