Skills
skills/sethgammon/citadel/merge-review/Gen Agent Trust Hub

merge-review

Warn

Audited by Gen Agent Trust Hub on May 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill performs automated, destructive cleanup in Step 8 using shell commands (git worktree remove "{path}" --force and git branch -d "{branch}") constructed from external data. The absence of sanitization for these variables presents a risk of command injection if the source file or git state is manipulated.\n- [PROMPT_INJECTION]: The skill's documentation contains misleading safety claims. It describes itself as 'Read-only' with 'green' (safe) reversibility, yet it executes irreversible file and branch deletions without user confirmation. This discrepancy masks the skill's actual operational risk.\n- [PROMPT_INJECTION]: A vulnerability surface for indirect prompt injection exists due to the processing of untrusted data from .planning/telemetry/merge-check-queue.jsonl.\n
  • Ingestion points: Step 1 reads data from a local JSONL file.\n
  • Boundary markers: Absent; there are no instructions to the agent to treat the file content as untrusted data or to ignore embedded instructions.\n
  • Capability inventory: The agent has access to git commands that can modify the repository state (worktree remove, branch -d).\n
  • Sanitization: Absent; data is used directly in shell command interpolation and report generation without validation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 5, 2026, 10:49 AM