code-history
Fail
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill is highly vulnerable to shell command injection. It interpolates the
$ARGUMENTSvariable (user input) directly into bash commands such asgit log -S '<pattern>'andgit log -L :'<func>':<file>. An attacker could provide a malicious input containing single quotes and command separators (e.g.,'; touch /tmp/pwned; ') to execute arbitrary code on the user's machine. - PROMPT_INJECTION (LOW): The skill has a significant indirect prompt injection surface (Category 8). It ingests and analyzes external data that is often attacker-controlled, such as git commit messages and GitHub pull request titles.
- Ingestion points:
git logoutput andgh pr listresults (SKILL.md, Steps 2 and 3). - Boundary markers: Absent. There are no delimiters or instructions telling the agent to treat the git history as untrusted data.
- Capability inventory: The agent has access to
Bash(git, grep, gh) and file reading capabilities. - Sanitization: Absent. The skill does not perform any validation or escaping on the retrieved commit messages before analysis.
Recommendations
- AI detected serious security threats
Audit Metadata