jujutsu
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to run jj CLI commands, enabling the agent to perform version control tasks such as creating commits, rebasing history, and managing bookmarks.
- [EXTERNAL_DOWNLOADS]: The jj git clone command allows the agent to download repository data from external URLs, which is a standard feature for version control operations.
- [PROMPT_INJECTION]: The skill description includes directive language ('REQUIRED', 'ALways activate FIRST') to ensure the agent uses the correct toolset for Jujutsu repositories to avoid data corruption. While forceful, this is instructional in nature.
- [PROMPT_INJECTION]: Potential for indirect prompt injection due to processing untrusted repository data: * Ingestion points: The agent reads potentially untrusted commit messages and file diffs using jj log, jj show, and jj diff in SKILL.md. * Boundary markers: There are no markers or instructions provided to the agent to disregard malicious commands that might be embedded in commit history. * Capability inventory: The skill allows the agent to execute further jj commands and push changes to remote servers (jj git push), providing a path for potential exploitation if the agent follows instructions found in commit data. * Sanitization: No mechanisms for sanitizing or validating the content of the repository data are present.
Audit Metadata