Skills
skills/arjenschwarz/agentic-coding/blitz-merge/Gen Agent Trust Hub

blitz-merge

Pass

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It fetches task names and descriptions from the external Transit system and interpolates them directly into instructions for subagents. If an attacker controls the content of a Transit ticket, they could inject instructions to override subagent behavior.
  • Ingestion points: Transit task data fetched via mcp__transit__query_tasks in SKILL.md.
  • Boundary markers: Absent. The variables {task_name} and {task_description} are placed in the prompt without delimiters or warnings to ignore embedded instructions.
  • Capability inventory: Subagents have access to Bash, Edit, and Write tools to perform code modifications and repository operations.
  • Sanitization: Absent. No validation or escaping is performed on the external task data before it is used in prompts.
  • [COMMAND_EXECUTION]: The skill performs several sensitive repository operations based on the automation flow, including force-pushing and merging code.
  • Evidence: Use of git push --force-with-lease and gh pr merge --squash --delete-branch in Phase 3. While these align with the intended purpose of the skill, they represent powerful capabilities that could be abused if the agent is influenced by injected content.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 9, 2026, 11:17 PM