Skills
skills/wizeline/sdlc-agents/code-review-parsing/Gen Agent Trust Hub

code-review-parsing

Pass

Audited by Gen Agent Trust Hub on Apr 20, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/analyze_code.py executes the tree-sitter command-line utility using subprocess.run. The implementation follows security best practices by passing arguments as a list and not using shell=True, which effectively prevents shell injection vulnerabilities.
  • [PROMPT_INJECTION]: The skill is subject to indirect prompt injection because it ingests and processes untrusted data from external code files.
  • Ingestion points: External source code files provided via the {{file_path}} parameter are read and parsed by the tool.
  • Boundary markers: The output from the script is returned to the agent context without specific delimiters or instructions to ignore potential commands embedded within the parsed AST data.
  • Capability inventory: The skill has the capability to execute the tree-sitter binary and read files from the filesystem via scripts/analyze_code.py.
  • Sanitization: There is no sanitization of the content extracted from the files before it is provided to the agent, creating a surface where malicious code patterns or comments could attempt to influence the agent's logic.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 20, 2026, 03:28 AM