pre-push-security-scan
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill is a defensive security utility that performs local audits to prevent data exposure. Its operations are transparent and use standard system tools.
- [COMMAND_EXECUTION]: The skill provides numerous bash commands for scanning git diffs, file contents, and history using
grep. It includes a check that retrieves local secrets from thepasspassword manager to ensure they are not committed to the repository. - [EXTERNAL_DOWNLOADS]: The documentation suggests installing
git-filter-repoviapip. This is a well-known, legitimate utility for cleaning sensitive data from git history and is hosted on standard package registries. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes untrusted file contents throughout the repository and git history. Malicious instructions within these files could potentially influence an agent interpreting the scan results.
- Ingestion points: Repository files, git diffs, and commit history logs parsed by
grep(SKILL.md). - Boundary markers: The skill does not implement delimiters or specific instructions to ignore embedded prompts in the scanned content.
- Capability inventory: File system read access, bash execution, and package management capabilities (SKILL.md).
- Sanitization: The scanner uses keyword exclusion (e.g.,
grep -v 'REDACTED') to reduce noise, but does not perform sanitization of the content being analyzed.
Audit Metadata