security-check
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted external content (git diffs) and uses it to make high-stakes security decisions without proper isolation.
- Ingestion points: Untrusted data enters the agent context through 'git diff HEAD', 'git diff --cached', and 'git diff main...branch'.
- Boundary markers: Absent. There are no instructions to use delimiters or ignore embedded instructions within the ingested code diffs.
- Capability inventory: The skill's output is used to prioritize findings and suggest fixes, directly influencing the security posture of the codebase.
- Sanitization: Absent. The skill does not filter or sanitize comments or strings within the diff that might contain malicious LLM instructions.
- COMMAND_EXECUTION (LOW): The skill executes local git commands. While git is a trusted binary, the arguments (branch names) could theoretically be manipulated if the agent is already compromised, though this is a secondary risk.
Recommendations
- AI detected serious security threats
Audit Metadata