cross-review
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements a controlled delegation pattern where sensitive operations (file modifications) are explicitly forbidden for the subagent. The use of 'spawn_subagent' is scoped to the 'code-review' skill.
- [SAFE]: Instructions requiring 'verbatim' relay of subagent output are functional constraints designed to ensure transparency and prevent the primary agent from unintentionally filtering or misinterpreting technical review findings.
- [SAFE]: The skill includes a validation step for user-provided model IDs, ensuring that only supported/available models are utilized for the subagent.
- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection (Category 8) due to its core functionality:
- Ingestion points: User-provided 'review instructions' are parsed in Step 1 and passed directly to the subagent in Step 3.
- Boundary markers: Uses Markdown section headers (e.g., '## Review Instructions') to delimit the untrusted content. No explicit 'ignore embedded instructions' warning is provided.
- Capability inventory: The skill uses context-gathering tools (Read) and delegation (spawn_subagent). The instructions explicitly constrain the subagent to a 'read-only' mode, forbidding 'Edit', 'Write', or 'Bash' commands.
- Sanitization: No sanitization of user instructions is performed prior to interpolation.
Audit Metadata