autoreview
Warn
Audited by Gen Agent Trust Hub on May 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/autoreviewexecutes arbitrary user-provided strings viabash -lc "$parallel_tests". This allows for unvalidated shell command execution. - [COMMAND_EXECUTION]: The skill automatically executes
pnpm run checkif it detects a Node.js project structure, which runs scripts defined in the localpackage.jsonfile. - [COMMAND_EXECUTION]: The skill defaults to running
codex reviewwith the flags--dangerously-bypass-approvals-and-sandboxand--sandbox danger-full-access. This is a deliberate attempt to circumvent security sandboxes and platform-level approval prompts. - [DATA_EXFILTRATION]: The skill collects code diffs, including untracked files, and transmits this information to external AI services (e.g., Anthropic, Microsoft, Pi) through their respective CLI tools for analysis.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by ingesting untrusted data (code diffs) and interpolating it into prompts sent to secondary AI reviewers.
- Ingestion points: The
diff_for_reviewfunction inscripts/autoreviewcaptures output fromgit diff,git show, andgit ls-files. - Boundary markers: The
build_prompt_filefunction uses only a simpleDiff:header to separate code from instructions, which is insufficient to prevent data from being interpreted as commands. - Capability inventory: The skill has access to the shell, git, GitHub CLI, and various AI model binaries.
- Sanitization: No escaping or sanitization is performed on the repository diffs before they are included in the prompt.
Audit Metadata