yeet
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill defines shell command templates, such as
git checkout -b "{github username}/ar-{jira ticket number}/{description}", that interpolate user-provided strings without sanitization. This is a critical shell injection vulnerability where malicious ticket descriptions could execute arbitrary commands. - [EXTERNAL_DOWNLOADS] (MEDIUM): The instruction to "install dependencies and rerun once" if checks fail provides the agent with broad authority to download and install arbitrary software, posing a risk of supply chain attacks or malware installation.
- [COMMAND_EXECUTION] (MEDIUM): The directive to "run pr-body.md" is dangerously ambiguous. If interpreted by the agent as a request to execute the markdown file as a shell script, it would execute content derived from untrusted PR descriptions.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection. 1. Ingestion points: PR descriptions are generated from code diffs as described in SKILL.md. 2. Boundary markers: None are defined to separate code from instructions in the PR generation flow. 3. Capability inventory: Shell execution via git and gh commands. 4. Sanitization: No filtering of code comments or diff content that might contain hidden instructions.
Recommendations
- AI detected serious security threats
Audit Metadata