swain-sync
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes several local scripts via the bash shell, including
adr-check.shandrebuild-index.sh. Specifically, in the 'Session bookmark' step, it usesfindto locate and executeswain-bookmark.shbased on a path pattern. Executing scripts from computed paths is a dynamic execution risk. - [COMMAND_EXECUTION]: In Step 5, the skill interpolates AI-generated commit messages into a shell command using a heredoc (
cat <<'EOF'). Although the heredoc is quoted to prevent variable expansion, if the AI-generated message contains the delimiter stringEOFon a new line, it could prematurely terminate the block, potentially leading to shell errors or command injection if combined with other characters. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection in Step 4. It ingests the output of
git diff --cached(untrusted data from the repository) and passes it to the AI to generate a commit message. Malicious instructions embedded in the diff could manipulate the generated message or influence subsequent agent behavior. - [DATA_EXFILTRATION]: Step 6 uses the
gh pr createcommand, which transmits the local branch name, commit subjects, and the content of the staged changes to the remote GitHub repository. While this is the intended functionality of the skill, it involves sending repo data to an external service.
Audit Metadata