devops-pipeline
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands to detect project language, install dependencies, and run validation hooks. Evidence includes 'pip install pre-commit', 'pre-commit install', 'pre-commit run --all-files', and 'git push' commands in SKILL.md.
- [EXTERNAL_DOWNLOADS]: Fetches the pre-commit framework and references external hook configurations from established community repositories like those from the Python Code Quality Authority (PyCQA) and Astral.
- [PROMPT_INJECTION]: The skill processes untrusted local project files (e.g., package.json, pyproject.toml) to determine configuration logic, creating a surface for indirect instructions to influence agent behavior. 1. Ingestion points: File discovery and metadata checks in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: Subprocess calls for pip, pre-commit, and git. 4. Sanitization: Absent.
Audit Metadata