fast-meeting
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs multiple autonomous shell operations including
git worktree,git push, and system-level worktree cleanup without user oversight or confirmation checkpoints. - [REMOTE_CODE_EXECUTION]: The workflow includes an automated test runner detection phase that executes arbitrary code defined in project configuration files (e.g.,
package.jsonscripts,Makefile,pytest). This execution occurs autonomously on code the agent may have just generated or modified. - [PROMPT_INJECTION]: The skill contains explicit instructions to bypass safety-critical human-in-the-loop patterns, using phrases such as "all without user intervention", "The entire pipeline runs without asking any user questions", and "Immediately proceed to implementation without asking the user".
- [PROMPT_INJECTION]: The skill is highly susceptible to instructions embedded in external data sources (Indirect Prompt Injection).
- Ingestion points: External data enters the context via the
gitlab-mcp(get_issue)tool and user-provided subject strings. - Boundary markers: Absent. There are no delimiters or instructions to ignore malicious commands embedded in issue descriptions or comments.
- Capability inventory: Includes file system modification (writing code), shell command execution (
git,gh, test runners), and remote repository modification (git push,gitlab-mcp(create_merge_request)). - Sanitization: No sanitization or validation of the ingested issue content or the resulting generated code is performed before execution or deployment.
- [DATA_EXFILTRATION]: While intended as a core feature, the autonomous
git pushcapability allows for the movement of code and project metadata to remote servers without manual verification of the payload by a user.
Recommendations
- AI detected serious security threats
Audit Metadata