ship
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill performs multiple destructive and external-facing shell operations, including
git add,git commit,git push, andgh pr create. It specifically instructs the agent to bypass human-in-the-loop safety checks with directives such as "Do NOT ask user for confirmation - auto-generate and proceed" and "No confirmation prompts
- 'Ship' is the confirmation. Execute immediately."
- INDIRECT_PROMPT_INJECTION (HIGH): The skill is vulnerable to instructions embedded in the data it processes.
- Ingestion points: The skill reads untrusted repository content via
git diff --stat,git diff --cached, andgit login SKILL.md. - Boundary markers: None. There are no delimiters or instructions to treat the ingested diff content as data rather than instructions.
- Capability inventory: The skill has write/execute capabilities via
git pushandgh pr createas seen in Steps 4 and 5 of SKILL.md. - Sanitization: No sanitization is performed on the ingested diff content before it is processed by the LLM to generate commit messages and PR bodies.
- PROMPT_INJECTION (MEDIUM): The skill contains 'Override' style instructions that attempt to redefine the agent's safety constraints, specifically targeting the elimination of confirmation prompts for significant actions.
Recommendations
- AI detected serious security threats
Audit Metadata