Skills
skills/cafe3310/public-agent-skills/git-snapshot-rollback/Gen Agent Trust Hub

git-snapshot-rollback

Fail

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The Python script scripts/rollback.py uses subprocess.run(cmd, shell=True) to execute Git operations. The use of shell=True combined with string interpolation of external variables is a high-risk pattern that facilitates command injection.
  • [COMMAND_EXECUTION]: User-controlled inputs, specifically the reason and target_commit arguments, are directly embedded into shell command strings (e.g., run_cmd(f"git commit -m '... due to {reason}'")). An attacker can provide a string containing shell metacharacters such as ;, &, or | to terminate the intended command and execute unauthorized system commands.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because it processes natural language descriptions (the 'reason' for rollback) and passes them directly to a shell execution context without sanitization.
  • Ingestion points: The reason and target_commit parameters in scripts/rollback.py sourced from user input.
  • Boundary markers: Absent. There are no delimiters or instructions to the agent or script to treat the input as literal data rather than executable shell content.
  • Capability inventory: The script has the capability to perform any Git operation and, via injection, any shell command available to the user running the agent.
  • Sanitization: Absent. The script does not use utilities like shlex.quote() to escape the input before passing it to the shell.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 1, 2026, 11:25 PM