finishing-a-development-branch
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill constructs shell commands by directly interpolating potentially untrusted strings such as branch names and PR titles.\n
- Ingestion points: The skill uses variables like
<feature-branch>,<base-branch>, and<title>derived from the environment or user input.\n - Capability inventory: Executes
git merge,git branch -d,gh pr create, andgit worktree removeusing subprocess calls.\n - Sanitization: No escaping or validation is performed on these variables before they are passed to the shell.\n
- Risk: An attacker could craft a malicious branch name (e.g.,
"; rm -rf /;") to execute arbitrary commands when the agent attempts to merge or delete the branch.\n- [DATA_EXFILTRATION] (LOW): The skill performs network operations to push local data to external repositories.\n - Evidence: Option 2 uses
git push -u origin <feature-branch>andgh pr createto move local code and commit history to a remote server.\n - Risk: While this is the intended purpose of the skill, it represents a data exfiltration vector if an agent is tricked into pushing sensitive information to an attacker-controlled repository.
Audit Metadata