graphite
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a high-risk attack surface for indirect prompt injection as defined in Category 8. Based on the capabilities and data access:
- Ingestion points: The agent is instructed to read external content from the local repository, specifically the '.github/pull_request_template.md' file and source code files during 'gt sync' and conflict resolution.
- Boundary markers: Absent. The skill provides no delimiters or instructions to treat repository-sourced content as data rather than instructions, nor any 'ignore' directives.
- Capability inventory: The agent has the capability to modify the local filesystem (via 'gt create', 'gt modify', and conflict resolution) and perform network operations by pushing changes to remote servers via 'gt submit'.
- Sanitization: Absent. There is no logic provided to sanitize or escape content read from the repository before it is used to generate PR descriptions or commit messages.
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill requires the execution of the 'gt' (Graphite) CLI tool via an MCP server configuration ('gt mcp') or direct shell commands. This constitutes local command execution and relies on the security of the locally installed Graphite toolchain, which is not among the defined trusted sources.
Recommendations
- AI detected serious security threats
Audit Metadata