ship
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs several high-impact operations using
git,npm, and theghCLI. It executes local scripts such asbin/test-laneandnpm run test, which gives the agent broad authority to run code within the repository's environment. - [PROMPT_INJECTION]: The instructions command the agent to act in a 'non-interactive, fully automated' manner and to 'NOT ask for confirmation at any step.' This bypasses standard safety protocols that usually require human verification for high-impact actions like pushing code or creating pull requests.
- [DATA_EXFILTRATION]: The skill gathers repository metadata, diffs, and test results and transmits them to GitHub via the
gh pr createcommand. This behavior is expected for its purpose but constitutes an outbound data transfer of project information. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by processing data from the repository (git diffs, commit logs, and checklist files) to influence its decision-making and generate output.
- Ingestion points:
git diff,git log,CHANGELOG.md,.claude/skills/review/checklist.md, and test/eval output files. - Boundary markers: Not implemented; untrusted repository data is interpolated directly into prompts.
- Capability inventory: Full
Bashaccess, file modification (Write/Edit), and GitHub interaction viaghCLI. - Sanitization: No sanitization or escaping of the ingested text is performed before processing.
Audit Metadata