commit-helper
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill reads untrusted external content via 'git diff' and possesses command execution ('Bash') and file modification ('Write', 'Edit') capabilities. An attacker could embed instructions in files being committed to hijack the agent session.
- Ingestion points: Workflow instructions in 'SKILL.md' and 'README.md' require reading the output of 'git diff'.
- Boundary markers: Absent. There are no delimiters or warnings to isolate untrusted diff content from the agent's internal instructions.
- Capability inventory: The skill allows 'Bash', 'Write', 'Edit', 'Read', and 'Grep' tools.
- Sanitization: Absent. Untrusted content is processed as raw text without validation or filtering.
- [Metadata Poisoning] (MEDIUM): The 'SKILL.md' frontmatter defines an 'after_complete' hook triggering an external 'session-logger' that is not defined within the skill files. This represents unverified, automated behavior that occurs after task completion.
- [Command Execution] (LOW): The skill's operational flow relies on shell commands for Git operations and a local Python script. While these are intended behaviors, they provide the execution context for potential injection attacks.
Recommendations
- AI detected serious security threats
Audit Metadata