Skills
skills/harivansh-afk/claude-code-vertical/weaver-base/Gen Agent Trust Hub

weaver-base

Pass

Audited by Gen Agent Trust Hub on Apr 3, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill extracts fields from an untrusted specification YAML (such as pr.title, pr.branch, and pr.base) and interpolates them directly into shell commands. Specifically, commands like git checkout -b <pr.branch>, git commit -m "<pr.title>", and gh pr create --title "<pr.title>" are used. If these fields contain shell metacharacters or backticks, they could be used to execute arbitrary commands on the system.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted input from a specification file and uses it to drive agent logic and subagent behavior without sanitization.
  • Ingestion points: The spec YAML section provided in the agent's context (referenced in SKILL.md).
  • Boundary markers: The skill uses XML-style tags like <spec> to separate context, but does not instruct the agent to ignore potentially malicious instructions embedded within the spec data.
  • Capability inventory: The skill has access to the file system, shell command execution (git, gh), and the ability to spawn subagents via the Task tool.
  • Sanitization: There is no evidence of validation or escaping for the data extracted from the YAML fields before it is used to construct prompts or shell commands.
  • [DATA_EXFILTRATION]: While the skill is intended to create Pull Requests, the automatic execution of git push and gh pr create based on an externally provided specification could be leveraged to push sensitive files if the building_spec.files field in the spec is manipulated to include sensitive local paths.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 3, 2026, 11:02 AM