finishing-a-development-branch
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- PROMPT_INJECTION (HIGH): This skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted content from the repository (such as branch names, commit messages, and test outputs) and has high-impact write/execute capabilities.
- Ingestion points: Local repository configuration files (e.g., package.json, Makefile) and command-line outputs from the execution of tests.
- Boundary markers: Absent. The skill does not employ delimiters or specific instructions to isolate untrusted project data from the agent's logic.
- Capability inventory: Arbitrary shell execution via project test runners (npm/cargo/pytest), git modification operations (git branch -D), and network-enabled actions via the GitHub CLI.
- Sanitization: None. Variables derived from the environment, like and , are interpolated directly into shell strings without validation or escaping.
- COMMAND_EXECUTION (MEDIUM): The skill performs dynamic command generation and execution (Category 10) by assembling shell commands at runtime based on the detected project environment and user inputs.
- DATA_EXFILTRATION (LOW): The skill uses network-facing commands such as 'git push' and 'gh pr create' to send local code and metadata to remote servers. While standard for development, this represents an external data transfer boundary.
Recommendations
- AI detected serious security threats
Audit Metadata