git-commit-assistant
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The Python script scripts/generate-commit-msg.py executes local git commands such as git diff using the subprocess.run function. It correctly uses a list of arguments and avoids the shell=True parameter, which effectively prevents command injection vulnerabilities.
- [PROMPT_INJECTION]: The skill processes untrusted data when analyzing git diffs to categorize changes. Evidence chain: 1. Ingestion points: The script scripts/generate-commit-msg.py reads the output of the git diff command. 2. Boundary markers: No specific delimiters are used to separate diff content from the analysis logic. 3. Capability inventory: The skill is limited to local git operations and text output; it possesses no network, file-writing, or privilege escalation capabilities. 4. Sanitization: No explicit sanitization is performed on the diff text, but the risk is negligible as the data is only used for keyword-based commit message suggestions.
Audit Metadata