smart-commit
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection because it incorporates untrusted data from git history into its prompts without sanitization or boundary markers.
- Ingestion points: Data enters the agent via
git diffandgit loginscripts/git_utils.sh(e.g.,get_staged_diff,get_last_commits). - Boundary markers: Absent. The prompts in
references/prompts.mduse standard Markdown but lack unique delimiters or instructions to ignore embedded commands within the diff content. - Capability inventory: The skill possesses high-impact capabilities including
git commit,git reset --soft, andgit addviascripts/git_utils.sh. - Sanitization: No sanitization or validation is performed on the git output before it is sent to the LLM, nor on the LLM's response before it is used in shell commands.
- [COMMAND_EXECUTION] (HIGH): The script
scripts/git_utils.shuses shell variables (like$message) directly in command strings (e.g.,git commit -m "$message"). While double-quoted, if the LLM-generated message is influenced by an indirect prompt injection to include specific shell escapes or if the agent's execution environment processes these arguments unsafely, it could lead to arbitrary command execution on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata