create-branch
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill constructs shell commands by directly interpolating untrusted user input into git and GitHub CLI commands. Ingestion points: User-provided
<issue-number>and<branch-name>. Boundary markers: Absent; no delimiters are used to separate input from command structures. Capability inventory: UsesBashto executegit checkout,git push, andgh issue develop. Sanitization: Relies on natural language instructions for validation rather than programmatic enforcement, allowing an attacker to potentially inject shell metacharacters (e.g.,;,|,&) to execute arbitrary commands. - [PROMPT_INJECTION] (MEDIUM): The skill's input validation and behavior (e.g., prefixing and kebab-case enforcement) are governed by natural language instructions. These are susceptible to being bypassed by adversarial user input, which could lead the agent to ignore safety constraints or perform unintended operations.
Recommendations
- AI detected serious security threats
Audit Metadata