commit
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes arbitrary shell commands defined in the
pre_commitsection of.agents/commit.config.yamlduring Step 4. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. In Step 1 and Step 5, it ingests untrusted data from project files like
package.jsonand various*.mdfiles. This content is analyzed by subagents to identify pre-commit scripts and documentation update conditions. Evidence chain: 1. Ingestion points:package.jsonand all*.mdfiles in the repository. 2. Boundary markers: Absent. 3. Capability inventory: Execution of arbitrary shell scripts,git commit,git push, andgh pr create. 4. Sanitization: Absent. - [DATA_EXFILTRATION]: The skill performs
git pushandgh pr create(Step 8 and 9), which transmit the local repository's source code, staged changes, and documentation to external remote servers and the GitHub platform. - [REMOTE_CODE_EXECUTION]: The workflow allows for the execution of commands inferred from the environment. If an attacker can influence the content of files like
package.jsonor documentation files, they can trick the agent into configuring and executing malicious scripts under the guise of pre-commit hooks.
Audit Metadata