wtf
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to interpolate user-provided input (the 'focus' argument) directly into bash commands, specifically
git log -- '*{focus}*'andgit diff --stat -- '*{focus}*'. This pattern is vulnerable to command injection if a user provides a payload containing shell metacharacters such as semicolons, backticks, or command connectors (e.g.,/wtf auth'; rm -rf /; '). The skill lacks explicit instructions for the agent to sanitize or escape this input before execution. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from git commit messages (
git log) and parses them to generate summaries. - Ingestion points: Commit messages and author metadata are read via the
Bashtool in Step 2A and 2B. - Boundary markers: No boundary markers or 'ignore' instructions are provided to distinguish between commit data and system instructions.
- Capability inventory: The skill has access to the
BashandAskUserQuestiontools. - Sanitization: The skill instructs the agent to 'parse the output silently' but does not provide any logic for sanitizing or escaping the content of the commit messages before they are processed by the LLM.
Audit Metadata