multi-cli-review-action
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests external reviewer reports in markdown format, creating a surface for indirect prompt injection where malicious content in a report could attempt to influence agent actions. Ingestion points: Workflow Step 2 reads reports from a user-specified task directory. Boundary markers: The skill enforces a strict Report Intake Contract and validates file metadata/frontmatter. Capability inventory: The skill can modify project files (Step 8) and execute shell commands for verification (Step 9). Sanitization: Every finding must be re-checked against the local codebase and task boundary, and no edits occur without mandatory user confirmation.
- [COMMAND_EXECUTION]: The skill modifies project files and executes shell-based verification tools like linters and test suites. Evidence: Described in Workflow Steps 8 and 9. Mitigation: Command execution is gated by mandatory human confirmation and strict path resolution rules that prevent access to system-level directories like system /tmp or user home folders.
Audit Metadata