lfg
Pass
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands using
gitandgh(GitHub CLI). It performs actions such as staging files, committing changes, resolving remotes, pushing branches, and editing pull request bodies (gh pr edit). These are standard operations for its stated purpose of an autonomous engineering workflow. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data from multiple sources and uses it to perform high-privilege actions like updating PRs and filing tracker tickets.
- Ingestion points: Processes
$ARGUMENTS, generated plan files indocs/plans/, and residual findings from thece-code-reviewskill. It also reads repository documentation (e.g.,CLAUDE.md,README.md) to dynamically identify and configure issue trackers. - Boundary markers: While it organizes output into Markdown sections, it lacks specific delimiters or explicit instructions to ignore potentially malicious embedded commands within the ingested data.
- Capability inventory: Possesses capabilities to modify the repository (
git push), modify external collaboration metadata (gh pr edit), and create tickets in external services (Linear, Jira, GitHub Issues) via CLI or API tools. - Sanitization: There is no evidence of content sanitization or validation before interpolating external findings or documentation snippets into PR descriptions or issue tickets.
Audit Metadata