ask
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the git-ai CLI tool via a restricted Bash environment to retrieve code authorship and conversation transcripts. This usage is aligned with the skill's stated purpose and limited to the git-ai command set.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes content from code files and historical AI transcripts which are not fully trusted. * Ingestion points: Code files accessed via the Read tool and transcript data retrieved via git-ai search/blame. * Boundary markers: There are no explicit boundary markers or 'ignore' instructions used when interpolating the user's question, file paths, or retrieved conversation data into the subagent's prompt template. * Capability inventory: The agent has access to file reading and restricted command execution via git-ai. * Sanitization: No sanitization or validation of the ingested code or history data is implemented before it is presented to the agent.
Audit Metadata