restack
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The Python helper script (
scripts/restack.py) manages git operations using thesubprocess.runmodule with list-based arguments. This approach is secure against command injection because it treats branch names and commit hashes as literal data rather than executable shell instructions. \n- [SAFE]: The skill does not access sensitive files, such as SSH keys or environment secrets, and limits its network activity to standard git remote operations (fetch/push) with the user's configured remotes. \n- [SAFE]: No external packages or remote code executions are used. The script relies entirely on the Python 3.9+ standard library, eliminating the risk of supply chain attacks or untrusted dependency installation. \n- [SAFE]: Regarding indirect prompt injection (Category 8): \n - Ingestion points: Branch names and commit metadata are ingested from the local git history via the
scripts/restack.pyscript (e.g., inSKILL.mdStep 2). \n - Boundary markers: The script produces structured JSON or compact key-value pairs which helps the agent distinguish stack data from instructions. \n
- Capability inventory: The skill allows for branch rebasing, deletion, and pushing, which are standard operations for the stated purpose. \n
- Sanitization: Inputs are passed safely to git via subprocess lists, ensuring they cannot escape the intended git command context.
Audit Metadata