commit-work
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly susceptible to indirect prompt injection as it ingests untrusted data from the local file system and has the capability to execute commands based on that context.
- Ingestion points: The skill reads external content via
git status,git diff, andgit diff --cached(Step 1 and Step 4 inSKILL.md). - Boundary markers: There are no boundary markers or delimiters defined to separate the code content being reviewed from the agent's instructions.
- Capability inventory: The agent is authorized to perform file staging (
git add), committing (git commit), and running arbitrary local scripts such asunit tests,lint, orbuild(Step 7 inSKILL.md). - Sanitization: No sanitization or filtering of the code content is performed before the agent processes it.
- Command Execution (MEDIUM): The skill explicitly instructs the agent to execute shell commands and repository-specific scripts.
- Evidence: Step 7 in
SKILL.mddirects the agent to 'Run the repo's fastest meaningful check (unit tests, lint, or build)'. Since these scripts are defined within the repository being managed, an attacker who can influence the repository content can achieve execution of arbitrary code when the agent attempts to 'verify' a commit.
Recommendations
- AI detected serious security threats
Audit Metadata