ac-checkpoint-manager
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill executes
gitcommands throughsubprocess.run. It correctly uses argument lists to prevent shell injection, but it retrieves thecommitID from metadata files which could be manipulated. - [PROMPT_INJECTION] (LOW): An indirect prompt injection surface is present. 1. Ingestion points: The skill reads
metadata.json,feature_list.json, and various state files in the.claude/directory. 2. Boundary markers: None. 3. Capability inventory: Supports file deletion viashutil.rmtree, restoration viashutil.copytree, and git state manipulation viagit reset --hard. 4. Sanitization: No validation or sanitization ofcheckpoint_idorgit_commitstrings retrieved from metadata, which could lead to path traversal or unintended state changes if the source files are malicious.
Audit Metadata