stacked-diffs
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill utilizes standard system commands (git and gh) to perform repository management tasks. These are used as intended for the workflow.
- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill possesses a high-risk capability surface according to Category 8 criteria. (1) Ingestion points: The agent ingests local file content and git history during the feature implementation process (SKILL.md). (2) Boundary markers: Uses EOF for PR body creation which prevents shell interpolation, but lacks markers to distinguish between agent-generated instructions and untrusted data from the repository. (3) Capability inventory: Includes git push and gh pr create, providing the agent with write access to remote repositories. (4) Sanitization: No sanitization or validation of the content being pushed or the PR descriptions being generated is present.
Recommendations
- AI detected serious security threats
Audit Metadata