Skills
skills/fellowship-dev/dogfooded-skills/post-merge/Gen Agent Trust Hub

post-merge

Pass

Audited by Gen Agent Trust Hub on Apr 26, 2026

Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill accesses sensitive local file paths to retrieve configuration and secrets.
  • Evidence: Reads PYLOT_DISPATCH_TOKEN from $HOME/projects/fellowship-dev/claude-buddy/.env in Step 4.
  • Evidence: Accesses the ${PYLOT_DISPATCH_DIR:-$HOME/.local/share/pylot/missions} directory in Step 0 to check for existing jobs.
  • [COMMAND_EXECUTION]: The skill performs command execution based on external configuration and environment variables.
  • Evidence: Step 3 executes commands read from a team's CLAUDE.md configuration (e.g., fly deploy, aws ecr).
  • Evidence: Step 4 sources a local script from a variable path: source "$PYLOT_DIR/dispatch.sh".
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted PR metadata and passes it to downstream tools.
  • Ingestion points: Fetches PR title (PR_TITLE) and file list (CHANGED_FILES) using gh pr view in SKILL.md (Step 1).
  • Boundary markers: None identified; untrusted PR data is interpolated directly into log messages, reports, and job dispatch context.
  • Capability inventory: The skill uses Bash (multiple steps), python3 (data processing), and the gh tool (PR commenting/metadata retrieval).
  • Sanitization: No sanitization or escaping of the PR_TITLE is performed before it is used in the dispatch_mission call or PR comments.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 26, 2026, 07:53 PM