agentic-jujutsu
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Downloads the agentic-jujutsu utility from the NPM registry using npx. This package is the primary distribution method for the tool's core components and is managed by the authoring organization.
- [COMMAND_EXECUTION]: Utilizes subprocess execution through the jj.execute method to perform version control tasks such as pushing and rebasing. This capability is expected for the skill's role as a repository management wrapper.
- [PROMPT_INJECTION]: Presents a vulnerability surface for indirect prompt injection through its self-learning trajectory system. \n- Ingestion points: Untrusted data enters the context via the taskDescription parameter in the getSuggestion method and the task parameter in startTrajectory. \n- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the provided implementation examples. \n- Capability inventory: The skill has the ability to execute arbitrary shell commands using its internal execution wrapper. \n- Sanitization: While tool outputs are parsed as JSON, there is no evidence of specific validation or sanitization for command strings generated by the AI reasoning service before they are executed in the workflow.
Audit Metadata