finish-feature
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: In Phase 2, the skill directs the agent to locate and run test commands specified in project files like package.json or Makefile. Executing commands defined in external project files is a form of dynamic command execution that depends on untrusted content.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It reads project configuration files to determine its execution logic (test commands). If these files are compromised or contain malicious instructions, the agent may execute unintended actions.\n
- Ingestion points: package.json, Makefile, and CHANGELOG.md as specified in SKILL.md.\n
- Boundary markers: Absent; the skill does not define delimiters or provide instructions to ignore embedded commands within the processed files.\n
- Capability inventory: Access to Bash(git:*), Read, and Write tools.\n
- Sanitization: Absent; there are no instructions to validate or sanitize the content of the project files or the identified test commands before execution.\n- [COMMAND_EXECUTION]: Phase 4 incorporates the $FEATURE_NAME variable, which can be populated directly from user-provided $ARGUMENTS, into a shell command: git flow feature finish $FEATURE_NAME. This pattern is vulnerable to command injection if the agent does not properly sanitize shell metacharacters provided in the user input.
Audit Metadata