code-review
Warn
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill directly interpolates user-provided strings (such as commit SHAs, branch names, or tags) into shell commands like
git diff <fixed-point>...HEAD,git log <fixed-point>..HEAD, andgit rev-parse <fixed-point>. This presents an argument injection surface where a malicious user could potentially execute unintended git flags or commands. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It processes untrusted data from multiple sources to perform its primary function:
- Ingestion points: Code diffs from
git diff, commit messages fromgit log, and external documentation files (PRDs, issues,specs/,docs/). - Boundary markers: The instructions for the sub-agents use plain text headers (e.g., 'Report:', 'Brief:') but do not employ robust delimiters (like XML tags or random triple-backticks) to isolate the untrusted code/spec content from the instructions.
- Capability inventory: The agent has the ability to execute git commands and spawn additional
general-purposesub-agents with full context access. - Sanitization: No evidence of sanitization or filtering of the ingested content is present. A malicious PR or issue description could contain instructions that attempt to manipulate the code review's outcome.
- [EXTERNAL_DOWNLOADS]: The skill references an external setup command
/setup-matt-pocock-skillsand refers todocs/agents/issue-tracker.mdfor workflow logic. While these appear to be part of a specific developer environment, they introduce dependencies on external configuration and scripts that are not contained within the skill itself.
Audit Metadata