agentic-jujutsu
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses 'npx agentic-jujutsu' for installation, which downloads and executes code from the NPM registry. It also mentions dependencies like '@qudag/napi-core'.
- [COMMAND_EXECUTION]: The 'JjWrapper' includes an 'execute' method for running arbitrary shell commands, used for Git operations and potentially suggested tasks.
- [REMOTE_CODE_EXECUTION]: The 'ReasoningBank' system provides 'recommendedOperations' which the documentation shows being executed directly by the agent. This allows for dynamic execution of commands derived from learned AI trajectories.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via its learning mechanism. Attacker-controlled data in commit messages or task descriptions could influence future command suggestions.
- Ingestion points: Data is ingested via 'jj.startTrajectory(task)' and 'jj.finalizeTrajectory(score, critique)' in SKILL.md.
- Boundary markers: None present in the provided examples to isolate task descriptions or critiques.
- Capability inventory: The skill can execute shell commands via 'jj.execute()'.
- Sanitization: No evidence of command validation or human-in-the-loop review before executing suggested operations.
Audit Metadata