finishing-a-development-branch
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Remote Code Execution] (HIGH): The skill's core process (Step 1) requires the agent to execute test suites using commands like 'npm test', 'cargo test', or 'pytest'. These commands run arbitrary code defined in the repository's configuration files. In an environment where the agent is operating on an untrusted or maliciously crafted repository, this results in immediate RCE.
- [Indirect Prompt Injection] (HIGH): The skill possesses a broad attack surface for indirect injection (Category 8).
- Ingestion points: The agent reads the repository's state, branch names, commit history, and test command outputs.
- Boundary markers: There are no delimiters or instructions to ignore embedded commands within the data being processed.
- Capability inventory: The agent has the authority to execute bash commands, delete branches ('git branch -D'), push to remote servers ('git push'), and create pull requests ('gh pr create').
- Sanitization: No validation or sanitization is performed on the repository data before it is used to influence the agent's logic or PR creation.
- [Command Execution] (MEDIUM): The skill relies heavily on shell execution for workflow automation. While the Git commands are structured, the flexibility of the test verification step allows for the execution of any binary configured as a 'test' runner in the local environment.
- [Data Exfiltration] (LOW): The skill performs network operations via 'git push -u origin'. If an attacker-controlled repository is processed, the agent could be tricked into pushing sensitive local commits to an external 'origin' server, though this is partially mitigated by the standard nature of the operation.
Recommendations
- AI detected serious security threats
Audit Metadata