implement
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of local shell commands to manage the git lifecycle. Commands such as
git checkout,git pull,git commit, andgit mergeare used for branch management and local integration. It also uses the GitHub CLI (gh) to create pull requests. These operations are fundamental to the skill's stated purpose of managing a development workflow. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes data from external MCP work items that could potentially contain malicious instructions.
- Ingestion points: Data enters the agent's context through the
get_contexttool inSKILL.md(Steps 1, 3, 4, 5, and 6), which loads item notes and metadata. - Boundary markers: The instructions do not specify the use of delimiters or clear "ignore embedded instructions" warnings when processing the content retrieved from work items.
- Capability inventory: The orchestrator possesses significant capabilities, including executing git commands, modifying the local filesystem, and spawning subagents using the
Agenttool. - Sanitization: There is no evidence of sanitization or validation performed on the external content retrieved from the MCP items before it is used to drive the workflow.
- [EXTERNAL_DOWNLOADS]: The skill performs network operations via
git pullandgit pushto synchronize local work with remote repositories on GitHub. Since GitHub is a well-known service and the operations are tied to the developer's own repository (origin), these downloads are considered standard behavior for this type of tool.
Audit Metadata