bug-blitz
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute git commands (git worktree add/remove) where arguments such as
{repo-name},{displayId}, and{bug-name}are derived from external data provided by the Transit MCP server. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from an external source (Transit task names and descriptions) and interpolates it directly into the prompt of a subagent.
- Ingestion points: Data is fetched from Transit via
mcp__transit__query_tasksinSKILL.md. - Boundary markers: There are no explicit delimiters or instructions to the subagent to ignore potentially malicious instructions embedded within the task description or name.
- Capability inventory: The skill possesses extensive capabilities including file system access (Read, Write, Edit), shell command execution (Bash), and the ability to spawn further agents (Task).
- Sanitization: While the instructions suggest deriving a 'kebab-case' name for the branch (which may sanitize shell metacharacters), the subagent's prompt receives the raw
{task_name}and{task_description}without validation or escaping.
Audit Metadata