branch-surgery-pr-split
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires executing standard git commands to perform branch analysis and manipulation. This is documented in 'SKILL.md' and 'references/audit-gates.md' which specify the use of 'git diff', 'git cherry-pick -n', and 'git commit' to manage code changes. These commands are necessary for the skill's primary function but represent a capability that interacts with the user's local filesystem.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) as it processes untrusted repository data. 1. Ingestion points: The agent reads commit counts, file names, commit messages, and net diff content in 'SKILL.md' (Step 1 and Step 6) and 'references/audit-gates.md'. 2. Boundary markers: There are no delimiters or instructions provided to isolate these inputs or warn the model to ignore instructions embedded within the git metadata or file contents. 3. Capability inventory: The skill has the ability to write to the repository and modify branch state via 'git' commands. 4. Sanitization: No sanitization or filtering of the ingested git data is performed before it is presented to the model's context.
Audit Metadata