ce-review
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data that could influence the behavior of the review agents.\n
- Ingestion points: Pull Request metadata (title, body, and file diffs) fetched via
gh pr viewand thecompound-engineering.local.mdconfiguration file located in the project root of the branch being reviewed. If an attacker controls the PR branch, they can manipulate the review context or defined agents.\n - Boundary markers: The instructions for sub-agents (e.g.,
Task {agent-name}(PR content + review context)) do not specify the use of delimiters (like XML tags or triple dashes) or 'ignore' instructions to isolate untrusted PR content from the agent's core logic.\n - Capability inventory: The skill and its sub-agents can execute shell commands (
git,gh), manage local files (viafile-todos), and spawn further sub-tasks with agent capabilities.\n - Sanitization: No sanitization or validation of the PR content or local configuration file is performed prior to processing, allowing embedded instructions to potentially reach the LLM's context.
Audit Metadata