git-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes content from external developer specifications to automate git workflows.
- Ingestion points: Data is ingested from external files (PRDs, SDDs) into variables such as
spec_id,spec_name,identifier, andsummary(e.g., in Operation 5). - Boundary markers: There are no boundary markers or instructions to isolate or ignore instructions embedded within the processed specification files.
- Capability inventory: The skill has access to the
Bashtool, allowing it to execute arbitrary system commands. - Sanitization: No sanitization, escaping, or validation logic is present to ensure that external strings do not contain shell metacharacters.
- [COMMAND_EXECUTION] (HIGH): Direct shell command injection vulnerability in multiple operations.
- Evidence (Operation 5): In the
gh pr createoperation, the${spec_name}and${summary}variables are interpolated directly into the command string. A malicious specification file with a title like"; touch /tmp/pwned; #would result in arbitrary command execution when the agent attempts to create a pull request. - Evidence (Operation 2): In branch creation, the
${identifier}variable is used directly in acasestatement andgit checkout -bcommand without validation, providing another vector for shell injection.
Recommendations
- AI detected serious security threats
Audit Metadata