git-operations-specialist
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill is highly vulnerable to instructions embedded in external data. \n
- Ingestion points: Uses
gh apiand GraphQL to fetch 'latest comments', PR details, and issue information. \n - Boundary markers: Absent. There are no instructions to wrap untrusted content in delimiters or to ignore instructions found within fetched data. \n
- Capability inventory: Includes write access to the filesystem (
git) and administrative actions via GitHub CLI (gh). \n - Sanitization: Absent. No logic is provided to filter or escape content from external contributors. \n- Prompt Injection (LOW): The 'CRITICAL' instruction at the start of the body attempting to force the caller to 'delegate ALL Git operations' and 'NOT execute git commands directly' is a behavioral override attempt intended to monopolize the tool-use context. \n- Command Execution (SAFE): While the skill executes shell commands (
git,gh), these are the primary stated purpose of the skill and are handled via a structured reporting format.
Audit Metadata