Skills
skills/uinaf/agents/cross-harness-review/Gen Agent Trust Hub

cross-harness-review

Pass

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data (git diffs, PR bodies, and source files) that may contain malicious instructions designed to subvert the AI reviewer.
  • Ingestion points: SKILL.md defines review targets including uncommitted diffs, branches, commits, PR content, and specific file paths.
  • Boundary markers: Absent. The shared prompt interpolates target content directly into the review request without using XML-style delimiters or specific instructions to the secondary AI to ignore embedded commands within the code.
  • Capability inventory: The skill executes the claude and codex CLI tools, which are granted access to shell utilities such as git, rg, jq, npm, and pnpm through the --allowedTools flag.
  • Sanitization: Absent. There is no evidence of content filtering or validation before the data is passed to the secondary harness.
  • [COMMAND_EXECUTION]: The skill invokes external command-line interfaces (claude and codex) to perform its primary function. Notably, it uses flags like --permission-mode dontAsk which suppresses user confirmation prompts for tool execution within the sub-harness, potentially increasing the impact of a successful indirect prompt injection attack.
Audit Metadata
Risk Level
SAFE
Analyzed
May 10, 2026, 08:10 AM