agentic-jujutsu
Warn
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation instructs users to install the tool using
npx agentic-jujutsu, which downloads and executes code from the NPM registry. The repository linked in the documentation (github.com/ruvnet/agentic-flow) is not associated with the provided trusted vendor list. - [COMMAND_EXECUTION]: The
JjWrapperclass exposes anexecutemethod that allows the agent to run arbitrary shell commands. This is demonstrated in the examples for performing Git operations and executing AI-recommended deployment steps. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its ReasoningBank integration, which fetches task suggestions that the agent then executes. * Ingestion points:
jj.getSuggestion()andjj.queryTrajectories()fetch data from an external learning bank. * Boundary markers: None are present to distinguish between internal instructions and external suggestions. * Capability inventory: Thejj.execute()method provides a high-privilege execution sink for suggested commands. * Sanitization: The provided code examples show the agent iterating through and executingrecommendedOperationswithout any validation or human-in-the-loop checks.
Audit Metadata