commit
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: The skill reads untrusted data from the file system via
git diff --cachedandgit statusduring the context collection and analysis phases (Workflow Steps 1, 2, 4). - Boundary markers: No explicit instructions or delimiters are used to separate the analyzed code diffs from the agent's core instructions, increasing the risk that instructions embedded in code (e.g., in comments) could influence behavior.
- Capability inventory: The skill has the ability to modify the repository state via
git addandgit restore, and it can perform network operations viagit push(Workflow Steps 2, 7). - Sanitization: No sanitization or filtering of the code diff content is performed before analysis, which could allow malicious content to manipulate the resulting commit message or subsequent agent actions.
- [COMMAND_EXECUTION] (LOW): The workflow involves constructing shell commands using variables like
<file>and$ARGUMENTS(Workflow Steps 2, 6, 7). Without proper escaping by the agent's runtime environment, this presents a risk of command injection through maliciously named files or manipulated argument strings. - [DATA_EXFILTRATION] (LOW): The skill performs network operations via
git pushto remote repositories (Workflow Step 7). While this is the intended functionality, it constitutes a vector for the transmission of source code to external servers that may not be explicitly whitelisted.
Audit Metadata