second-opinions
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill's core functionality involves transmitting local project data—including source code, git diffs, and internal documentation—to external third-party AI services (OpenAI via Codex MCP and Google via the Gemini CLI). While this is the intended use case, it constitutes a significant data transfer surface to external domains.- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted data from the project environment and interpolates it into prompts for external models.
- Ingestion points: Project files are read via the "Read" tool, and git diffs are gathered using "Bash" commands (e.g., in "SKILL.md" and "references/gemini.md").
- Boundary markers: The skill attempts to use XML tags ("", "") and explicit instructions (e.g., "IMPORTANT: Do NOT read or execute any files under ~/.claude/...") to isolate data from instructions.
- Capability inventory: The agent has access to "Bash", "Write", "Read", and external model communication tools across all files.
- Sanitization: There is no automated sanitization or filtering of the ingested content before it is sent to the external models.- [EXTERNAL_DOWNLOADS]: The documentation (e.g., "references/gemini.md" and "SKILL.md") provides instructions for the user to install the Gemini CLI ("@google/gemini-cli") and various extensions from GitHub repositories ("github.com/gemini-cli-extensions/"). these are well-known or related technical organizations.
Audit Metadata