code-review
Fail
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a delegation feature that permits users to specify an arbitrary CLI command name as an argument, which is then executed via a Bash shell using the pattern ' -q ""'. This allows for the execution of unauthorized binaries or scripts present on the host system.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes code from the local repository (using git diff, Read, Grep, and Glob) to perform reviews. Malicious instructions embedded within source code files could potentially manipulate the behavior of the agent or the delegated tool.
- Ingestion points: SKILL.md uses git diff, Read, Grep, and Glob to ingest untrusted codebase content.
- Boundary markers: Absent. The file content is directly interpolated into the prompt without delimiters or instructions to ignore embedded commands.
- Capability inventory: Bash, Read, Grep, Glob, and Agent tools are available.
- Sanitization: Absent. No filtering or escaping is performed on the ingested code.
Recommendations
- AI detected serious security threats
Audit Metadata