commit-validator
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the 'Bash' tool to integrate with Git hooks and CI/CD pipelines. It provides example shell scripts to automate commit message validation during the local development workflow and remote build processes.
- [PROMPT_INJECTION]: The skill processes untrusted commit message strings retrieved from Git history, which serves as an ingestion point for potential indirect prompt injection attacks. 1. Ingestion points: Examples in SKILL.md show commit messages being read via 'git log' and piped to the validator. 2. Boundary markers: No explicit delimiters or isolation warnings are used to separate the external commit data from the agent's instructions. 3. Capability inventory: The skill has access to 'Bash', 'Read', and 'Grep' tools, providing a significant capability surface if influenced by malicious input. 4. Sanitization: Validation logic relies on a regular expression for formatting but lacks specific sanitization or escaping of the commit content against prompt-based instruction sequences.
Audit Metadata