git-squash-commits
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection. It ingests untrusted data from the git commit history (messages and diffs) to generate a summarized commit message.
- Ingestion points:
git log --format="%s"(Step 2) andgit diff(Step 3) are used to collect raw data from the repository history. - Boundary markers: None are specified; the AI is simply told to "Analyze the commits and changes".
- Capability inventory: The skill has the ability to execute shell commands, create commits, and write files to the local filesystem (
ai_docs/). - Sanitization: No sanitization or escaping of the commit messages or diff content is performed before processing.
- [COMMAND_EXECUTION] (HIGH): Step 8 of the implementation guidelines uses an unquoted shell heredoc (
cat > "$SUMMARY_FILE" <<EOF) to write the summary record. - Evidence: Because the heredoc delimiter
EOFis not quoted, the shell will perform parameter expansion and command substitution on the content being written. If the git history contains a malicious file name (e.g.,`touch EXPLOIT`) or a crafted commit message, the shell executing the summary generation will execute that embedded command. - [COMMAND_EXECUTION] (MEDIUM): Step 6 uses a complex shell construction
git commit -m "$(cat <<'EOF' ... EOF)". While the internal heredoc is quoted ('EOF'), the overall pattern of placing AI-generated content (derived from untrusted history) directly into a shell command line is risky and can lead to command hijacking if the AI is manipulated into generating specific shell metacharacters.
Recommendations
- AI detected serious security threats
Audit Metadata