generating-patches
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): Vulnerable to Indirect Prompt Injection (Category 8) due to processing untrusted codebase data without adequate safeguards.\n
- Ingestion points: Codebase files in the working directory accessed via
git diffandgit status.\n - Boundary markers: Absent; untrusted content is not delimited from instructions.\n
- Capability inventory: Execution of
gitsubprocesses and file writing to/mnt/user-data/outputs/.\n - Sanitization: Absent; filenames and diff output are used directly in markdown and shell loops. Malicious instructions in the codebase could influence the agent's summary or next-step reasoning.\n- [DATA_EXFILTRATION] (LOW): The skill facilitates data exposure. If directed to sensitive directories (e.g.,
~/.ssh,.env), it bundles private information into a patch file for download via the output directory.\n- [COMMAND_EXECUTION] (LOW): The skill uses shell commands with string interpolation for tasks like PR description generation. Fragile shell patterns (e.g.,while read fwithout-r) could be targeted via malicious filenames containing shell metacharacters.
Audit Metadata