commit-push
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill automatically identifies and executes shell commands specified in the project's
package.jsonscripts orMakefileduring its pre-commit phase. This allows for the execution of arbitrary commands defined within the local environment. - [REMOTE_CODE_EXECUTION]: By executing project-defined scripts (e.g., installation or build tasks), the skill could indirectly facilitate remote code execution if those scripts are configured to download and run external content.
- [PROMPT_INJECTION]: The skill performs analysis on file differences and project metadata to construct commit messages. Ingestion points: File contents from
git diff,package.json, andMakefile. Boundary markers: There are no explicit markers or instructions to ignore adversarial text within the processed files. Capability inventory: The skill can execute shell commands via subprocesses and perform network-facing git operations. Sanitization: No sanitization or validation is performed on the ingested data before it is processed or used in command construction.
Audit Metadata