yeet
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the interpolation of the
{description}variable inSKILL.md. - Ingestion points: User-provided description used to construct branch names and commit messages.
- Boundary markers: No explicit delimiters are used to wrap the input or instruct the agent to ignore embedded commands.
- Capability inventory: The skill has access to powerful CLI tools including
gitandghfor local and remote operations. - Sanitization: The input is not escaped or validated before being passed to the shell.
- [COMMAND_EXECUTION]: The skill executes shell commands using unvalidated parameters and ambiguous directives.
- Evidence: The commands
git checkout -b "codex/{description}"andgit commit -m "{description}"are susceptible to shell injection if the input contains metacharacters. - Evidence: The instruction in
SKILL.mdto 'run pr-body.md' is ambiguous and may prompt the agent to execute a markdown file as a shell script, leading to arbitrary code execution. - [EXTERNAL_DOWNLOADS]: The skill grants the agent broad authority to install software.
- Evidence: The instruction to 'install dependencies' if checks fail allows for the execution of unverified package installation commands from potentially untrusted sources.
Audit Metadata