grug-review
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use standard version control commands (
git status,git diff,git logs,git merge-base) to retrieve project information. These are read-only operations necessary for the skill's stated purpose of reviewing code changes. - [PROMPT_INJECTION]: The instructions include a specific block of text intended to be output to the user to facilitate a design interview. While the phrasing "Interview me relentlessly" is aggressive, it is context-appropriate for the 'Grug' persona and does not attempt to bypass safety filters or override the agent's core system prompt.
- [INDIRECT_PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it processes untrusted data from the local repository (code diffs and logs).
- Ingestion points: Data enters the agent context via
gitcommand outputs and attached file context as described inSKILL.md. - Boundary markers: There are no explicit instructions to the agent to ignore or delimit potentially malicious instructions embedded within the code being reviewed.
- Capability inventory: The skill uses git commands for data retrieval and mentions spawning parallel 'explore-style' subagents for codebase analysis.
- Sanitization: No sanitization or validation of the input data is described. However, the instructions explicitly state the agent should 'stay read-only unless the user commissioned edits', which significantly mitigates the risk of an injection causing unauthorized changes.
Audit Metadata