plan-execute
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the processing of external ticket data (Jira, Linear, GitHub). An attacker can embed malicious instructions within ticket descriptions or comments that the agent reads and treats as authoritative requirements.
- [COMMAND_EXECUTION]: The skill implements a dynamic execution pattern where a 'verification command' is generated based on the task description and subsequently executed. If the task description is influenced by a malicious ticket, this allows for arbitrary command execution on the host system.
- [DATA_EXFILTRATION]: The skill contains instructions to commit and push ALL outstanding changes detected by 'git status', regardless of whether they are related to the task. Although it mentions excluding secrets, automated filters are often bypassable, creating a high risk of leaking sensitive local files, environment variables, or configuration to remote repositories.
- [COMMAND_EXECUTION]: The skill utilizes high-privilege automation capabilities including pushing code, opening pull requests, and enabling auto-merge. When combined with the processing of untrusted external input, this creates a pathway for automated deployment of malicious code without human intervention.
Audit Metadata