lesson-learned
Warn
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill accepts user-provided input for the git 'scope' (e.g., commit SHAs, branch names, or ranges) and uses it to construct shell commands like
git log,git diff, andgit show. The instructions lack validation or sanitization logic for this input, which creates a surface for command injection if the execution environment does not provide native protection against shell metacharacters. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from git commit messages and diffs to extract logic and intent.
- Ingestion points: Git commit messages and code diffs gathered in
SKILL.md(Phase 2). - Boundary markers: Absent; there are no instructions to use delimiters or ignore embedded instructions within the data being analyzed.
- Capability inventory: Execution of shell commands (
git) and access to the local file system. - Sanitization: Absent; the skill explicitly instructs the agent to read commit messages as "primary context" for analysis without any filtering or safety checks.
Audit Metadata