finishing-a-development-branch
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill executes shell commands using variables like
<base-branch>and<feature-branch>. If a repository contains maliciously named branches (e.g., containing shell metacharacters), it could lead to unintended command execution. However, this is a standard risk for development automation tools. - [PROMPT_INJECTION] (LOW): Category 8: Indirect Prompt Injection surface identified.
- Ingestion points: The skill reads branch names, commit lists, and worktree paths from the local environment.
- Boundary markers: The skill demonstrates security awareness by using single-quoted heredocs (
'EOF') in the PR creation step to prevent shell expansion of content inside the PR body. - Capability inventory: Includes the ability to merge code, push to remote repositories, and delete local branches/worktrees.
- Sanitization: No explicit sanitization of branch names is performed before they are passed to shell commands, though the use of heredocs for the PR body mitigates some risk in that specific step.
- [DATA_EXFILTRATION] (SAFE): While the skill pushes code to a remote ('origin') and creates PRs via the GitHub CLI, these are the intended functions of the skill and target the developer's own repository rather than exfiltrating sensitive system data.
- [CREDENTIALS_UNSAFE] (SAFE): No hardcoded API keys, tokens, or secrets were detected in the skill instructions.
Audit Metadata