gts-library-workflows
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection through multiple data ingestion vectors.
- Ingestion points: The skill ingests untrusted data from
git diff --staged,git log, and external web content viaagent-browser(referenced in thecompare-preprod-header.mdworkflow). - Boundary markers: There are no instructions to use delimiters or XML tags to isolate untrusted repo data from the agent's instructions, nor are there 'ignore embedded instructions' warnings.
- Capability inventory: The skill has high-privilege capabilities including
git commit,git push, and the ability to execute various local scripts viabun run. - Sanitization: No sanitization or validation of the ingested diffs or web content is performed before the agent uses that data to generate code (commit messages) or make decisions.
- Evidence (commit-and-push.md): The agent is instructed to 'Analyze the changes' from
git diffto determine commit types. A malicious payload in a file change could override the agent's behavior during the commit process. - COMMAND_EXECUTION (MEDIUM): The skill relies heavily on the execution of shell commands and local scripts.
- Evidence (build-tokens.md, convert-color.md): The instructions direct the agent to run
bun run tokens:buildand scripts likescripts/convert-hex-to-oklch.js. This assumes the local repository environment is fully trusted. If an attacker can modify these local scripts, they achieve arbitrary code execution via the agent. - Evidence (commit-and-push.md): The use of heredocs (
git commit -m "$(cat <<'EOF' ... EOF)") to pass agent-generated strings to the shell is a pattern that can be exploited if the generated string is manipulated via prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata