finishing-a-development-branch
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill executes arbitrary project test commands (e.g., npm test, cargo test, pytest) as defined in the repository's configuration files. This allows an attacker who can commit to the development branch to achieve code execution on the agent's runner by modifying the test scripts in files like package.json or Makefile.\n- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data from the branch's source code and passes it to a subagent (code-simplifier) without sanitization.\n
- Ingestion points: Output of git diff and the literal content of files in the branch being processed.\n
- Boundary markers: Absent. The subagent prompt in references/pre-merge-simplification.md lacks delimiters or instructions to ignore embedded commands.\n
- Capability inventory: The skill possesses the ability to merge code, push to remote repositories, create Pull Requests, delete branches, and execute shell commands.\n
- Sanitization: No validation or escaping is performed on the branch content, file names, or metadata before they are interpolated into prompts.
Recommendations
- AI detected serious security threats
Audit Metadata