gerrit-review
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/gerrit_api.shperforms shell command execution usingcurl,jq, andpython3. The variableAUTH_HEADER, which contains user-supplied credentials, is used without quoting in multiplecurlcalls. This creates a potential argument injection vector if theGERRIT_USERNAMEorGERRIT_HTTP_PASSWORDenvironment variables contain spaces or other shell-significant characters. - [EXTERNAL_DOWNLOADS]: The skill communicates with external Gerrit instances via HTTP REST API calls to fetch change metadata, diffs, and file contents. These operations target a user-defined
GERRIT_URLwhich is outside the standard whitelist. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from an external source.
- Ingestion points: External code diffs, file contents, and reviewer comments are fetched from Gerrit via
scripts/gerrit_api.shand presented to the agent. - Boundary markers: The instructions do not include delimiters or specific guidance for the agent to ignore or isolate instructions embedded within the retrieved code or comments.
- Capability inventory: The agent has the ability to execute network requests, read/write to the file system via standard tools, and perform write operations on the Gerrit server (posting reviews and submitting changes).
- Sanitization: There is no evidence of sanitization or validation of the remote content before it is processed by the AI agent.
Audit Metadata