git-commit
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The skill contains explicit instructions to 'commit everything' and 'Never... ask the user which files to commit'. This bypasses critical human-in-the-loop safety checks, making it highly likely that sensitive files (e.g., .env, temporary secrets, or local-only configs) will be staged and committed to the repository. While no network exfiltration is hardcoded, committing secrets to a repository often leads to their exposure on remote servers or shared environments.
- [Indirect Prompt Injection] (HIGH):
- Ingestion points: The skill ingests untrusted data via
!git diff --statand the implied full diff needed to 'group related changes into logical conventional commits'. - Boundary markers: Absent. The agent is not instructed to treat diff content as data rather than instructions.
- Capability inventory: The skill has
Bashaccess, allowing it to execute arbitrary shell commands. - Sanitization: Absent. There is no logic to filter or escape malicious instructions embedded in the code being committed.
- Evidence: The requirement to summarize and group changes based on file content means the agent must interpret the text of the changes, allowing an attacker to place instructions in a file (e.g., in a comment) that the agent might obey during the commit process.
- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes the
Bashtool to perform git operations. While these are functional requirements, the combination of bash access and the processing of untrusted file content (Category 8) increases the severity of potential command injection if the agent is manipulated by the file content it is diffing.
Recommendations
- AI detected serious security threats
Audit Metadata