finishing-a-development-branch
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill executes various local commands including project test suites (
npm test,cargo test,pytest,go test), Git operations, and the GitHub CLI (gh). While these are standard for development workflows, they involve executing code and binaries within the user's local environment. - PROMPT_INJECTION (LOW): The skill has an indirect prompt injection surface (Category 8). It reads data from the local environment that could be influenced by an external actor (e.g., via a malicious pull request or branch name) and incorporates it into agent actions.
- Ingestion points: The skill reads branch names (
git branch), commit lists, and repository structure to determine base branches and create PR bodies. - Boundary markers: The skill uses shell heredocs (
EOF) when generating PR bodies, which provides a level of structural delimitation for the content. - Capability inventory: The agent can execute arbitrary shell commands (tests), perform git destructive actions (
git branch -D), and communicate with remote repositories (git push,gh pr create). - Sanitization: There is no explicit sanitization of branch names or commit messages before they are used as arguments in shell commands or interpolated into prompts, though the use of heredocs for the PR body is a partial mitigation.
Audit Metadata