pr
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core workflow relies on processing untrusted external data which could contain malicious instructions.
- Ingestion points: Step 4 uses
git logandgit diffto gather context. Step 5 uses per-commit diffs viagit show. An attacker who contributes a commit to a repository could include prompt injection triggers in the commit message or code changes. - Boundary markers: Absent. The instructions do not define delimiters (like XML tags or triple quotes) to separate untrusted commit data from the agent's system instructions.
- Capability inventory: The skill has extensive write capabilities, including
git push,gh pr create/edit, andglab mr create/update. It can modify repository state and push code to remotes. - Sanitization: Absent. There is no logic to filter or escape the content generated from the diffs before it is passed into shell commands via the
Bashtool. - [Command Execution] (MEDIUM): The
allowed-toolsconfiguration uses broad wildcards (git:*,gh:*,glab:*). While restricted to specific binaries, these tools have subcommands capable of deleting resources, modifying access controls, or exfiltrating data (e.g.,gh secret set,gh repo delete). If the agent is compromised via indirect prompt injection, these tools provide a high-impact attack surface.
Recommendations
- AI detected serious security threats
Audit Metadata