rebuttal
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes 'raw reviews' from external, untrusted authors. These reviews are used to build the strategy and draft the rebuttal, and are passed directly to external model tools for stress-testing. An attacker could embed malicious instructions within a review to influence the agent's logic or the output of the rebuttal process.
- Ingestion points: Phase 1 (Normalization to
rebuttal/REVIEWS_RAW.md) and Phase 2 (Atomization/Classification inISSUE_BOARD.md). - Boundary markers: The instructions do not specify any security-focused delimiters or 'ignore' instructions when interpolating reviewer text into the agent's working context.
- Capability inventory: The skill has high-privilege access to
Bash(*),Write,Edit, and invokes external agents and MCP tools (mcp__codex__codex). - Sanitization: No sanitization or validation of the reviewer text is performed before it is utilized in prompts or as tool parameters.
- [COMMAND_EXECUTION]: The skill uses the
Bash(*)tool and specifically instructs the agent to fallback to Bash heredocs for file operations if standard Write tools fail. In the context of the indirect prompt injection surface mentioned above, this capability increases the risk that an injected instruction could result in unauthorized file system operations or shell command execution.
Audit Metadata