ship
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Command Execution (SAFE): The skill utilizes common developer tools (git, gh, jq, pytest) to fulfill its intended purpose. It implements secure bash practices by using quoted heredocs (cat <<'EOF') when interpolating variables into commands, which effectively prevents shell injection from the $ARGUMENTS input.
- Data Exposure & Exfiltration (SAFE): The skill explicitly instructs the agent to avoid staging sensitive files such as .env, credentials, or other secret files, using specific filenames instead of 'git add .'.
- Indirect Prompt Injection (LOW): The skill processes untrusted data which could potentially contain malicious instructions intended for downstream systems or the agent itself.
- Ingestion points: The $ARGUMENTS variable (commit message) and the contents of README.md, CHANGELOG.md, and plugin.json files.
- Boundary markers: The skill uses shell-level delimiters for variable safety but lacks explicit instructional delimiters (e.g., 'the following text is data only') within the generated PR bodies and commit messages.
- Capability inventory: The skill possesses extensive capabilities including file system modification (Edit), repository state changes (Git commit/push), and pull request management (GitHub CLI).
- Sanitization: The skill provides clear instructions to manually identify and exclude sensitive files during the 'git add' phase.
Audit Metadata