process-commit
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The command
git diff HEAD --name-only | xargs -I {} sh -c '...'in Step 2 uses string substitution ({}) for filenames within a shell command. If a repository contains a file with a malicious name (e.g., containing shell metacharacters like$(...)or backticks), it could lead to arbitrary command execution when the skill is executed. - EXTERNAL_DOWNLOADS (MEDIUM): The skill relies on a non-standard, third-party tool named
git-sequential-stage. This tool is not a standard part of the Git suite and its source or integrity is not defined in the skill, posing a risk of executing untrusted code if the environment attempts to install or run an unverified version. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted repository data without adequate safety measures.
- Ingestion points: Untrusted content enters the agent's context through
git diffoutput saved to.claude/tmp/current_changes.patch. - Boundary markers: No delimiters or "ignore embedded instructions" warnings are used when the agent is asked to analyze the hunks.
- Capability inventory: The agent has the ability to execute shell commands (
git commit) and thegit-sequential-stagetool. - Sanitization: No sanitization or validation is performed on the diff data before the agent processes it for "meaningful grouping" and commit planning.
Audit Metadata