commit
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is susceptible to instructions embedded in the data it processes.
- Ingestion points: Untrusted data enters the agent context via
git status,git diff HEAD,git branch --show-current, andgit log --oneline -10as defined in the Context section ofSKILL.md. - Boundary markers: Absent. The output of these commands is interpolated directly into the prompt without delimiters or warnings to ignore embedded instructions.
- Capability inventory: The skill has access to
git addandgit committools as defined in the frontmatter. - Sanitization: None. There is no logic to filter or escape instructions found within the repository's files or history.
- Risk: An attacker contributing to the repository could include malicious prompts in a file (detected by
git diff) or in a previous commit message (detected bygit log) to trick the agent into staging sensitive files or creating deceptive commits. - [Command Execution] (LOW): The skill uses shell commands via the
!syntax to gather context. While restricted to git-related queries, this relies on executing subprocesses based on instructions in the markdown file.
Recommendations
- AI detected serious security threats
Audit Metadata