finishing-a-development-branch
Audited by Gen Agent Trust Hub on Feb 12, 2026
The skill finishing-a-development-branch is a set of instructions written in Markdown, guiding an AI to perform common Git and GitHub CLI operations. It does not contain any executable scripts or code that would be run directly by the system, making it a 'no-code' skill in terms of direct execution.
1. Prompt Injection: No patterns indicative of prompt injection (e.g., 'IMPORTANT: Ignore', role-play, developer mode activation) were found. The instructions are designed to guide the AI's behavior within the scope of the skill's task, not to subvert its core directives.
2. Data Exfiltration: The skill uses standard git commands (git pull, git push, git merge, git checkout, git branch, git worktree) and the gh (GitHub CLI) command (gh pr create). These commands inherently involve network communication with remote Git repositories (e.g., GitHub). However, the skill does not instruct the AI to read sensitive local files (like ~/.aws/credentials or ~/.ssh/id_rsa) and exfiltrate them to arbitrary external servers. The network operations are part of the skill's intended and legitimate functionality for managing code.
3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected within the Markdown content.
4. Unverifiable Dependencies: The skill assumes the presence of standard development tools like git, npm, cargo, pytest, go test, and gh (GitHub CLI). It does not instruct the AI to download or install any new, unverified external packages or scripts. Therefore, no unverifiable dependencies are introduced by the skill itself.
5. Privilege Escalation: The commands used (git, npm test, cargo test, pytest, go test, gh) do not inherently require or instruct privilege escalation (e.g., sudo, chmod 777, service installation). The skill operates within the typical permissions of a developer's environment.
6. Persistence Mechanisms: The skill does not attempt to establish persistence by modifying system configuration files, user shell profiles (.bashrc, .zshrc), cron jobs, or SSH authorized keys.
7. Metadata Poisoning: The skill's name and description are benign and accurately reflect its purpose. No malicious instructions were found embedded in the metadata.
8. Indirect Prompt Injection: As an interactive skill that takes user input (e.g., choice of option, confirmation for discard), there is a general, low-level risk that a sophisticated user could craft input to try and influence the LLM's behavior. However, the skill itself does not introduce new external data sources (like emails or web pages) that could be used for indirect injection.
9. Time-Delayed / Conditional Attacks: No conditional logic based on dates, times, usage counts, or specific environment variables that would trigger delayed or conditional malicious behavior was found.
Conclusion: The skill is well-defined, uses standard and expected commands for its stated purpose, and does not exhibit any malicious patterns or introduce new security vulnerabilities. It is categorized as SAFE and NO_CODE because it consists solely of instructional text for the AI, without any directly executable code or external dependencies beyond standard developer tools.