git-bisect
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes arbitrary shell commands provided in the
${TEST_COMMAND}argument throughout the verification and bisecting phases. - [REMOTE_CODE_EXECUTION]: The skill performs dynamic script generation by writing user-provided input into a temporary file (
tmp/bisect_test.sh), setting execution permissions, and running it viagit bisect run. The use of an unquoted heredoc (<< EOF) during script creation allows for potential shell expansion of the command string before it is written to the file. - [COMMAND_EXECUTION]: User-controlled variables
${BAD_REF}and${GOOD_REF}are interpolated directly into shell commands (e.g.,git checkout ${BAD_REF}), which could lead to command injection if the inputs are not properly sanitized by the calling agent.
Audit Metadata