checkpoint
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill ingests untrusted data from the Git repository.
- Ingestion points: Stash descriptions and names from
git stash listenter the agent context. - Boundary markers: Absent. There are no instructions for the agent to use delimiters when processing or displaying stash content.
- Capability inventory: The skill uses the
Bashtool to performgit stash applyand other commands, which modifies the filesystem. - Sanitization: Absent. No validation is performed on stash descriptions before display or use.
- [Command Execution] (MEDIUM): The 'Create checkpoint' instruction directs the agent to construct a Git command using a user-provided name. This pattern poses a command injection risk if the agent does not correctly escape the name before executing it via the
Bashtool.
Audit Metadata