release-notes
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to the processing of untrusted external content.\n
- Ingestion points: The workflow ingests data from
git log,git diff, and merged PR titles/descriptions via the GitHub CLI.\n - Boundary markers: No delimiters or instructions are provided to the agent to distinguish between git history data and the system instructions.\n
- Capability inventory: The skill uses
gitandrg(ripgrep) to extract information from the filesystem and version control history.\n - Sanitization: There is no evidence of sanitization for the extracted text. A malicious actor could craft a commit message or PR description containing instructions designed to hijack the agent's output or reasoning.\n- COMMAND_EXECUTION (LOW): The skill relies on executing local shell commands (
git,rg,gh) to gather repository information. While these are used as intended for the skill's functionality, they represent a baseline attack surface for the environment in which the agent operates.
Audit Metadata