graphite-skill

[Skill Scanner] System prompt extraction attempt BENIGN: The skill context and installed components are coherently aligned with its purpose of enabling context-efficient Git/Graphite workflows via automatic delegation. It uses standard installation hooks, local configuration, and non-networked operations to reduce context pollution. No credential harvesting or suspicious data flows are evident in the provided material. However, follow-up inspection of the actual install.sh and session-start.sh code is recommended to confirm there are no hidden data flows or elevated permissions introduced at runtime, especially in team contexts. LLM verification: The skill's stated purpose (reducing context pollution by delegating verbose git/Graphite CLI output to isolated subagents) is coherent and the described capabilities align with that purpose. However, the installation and execution model is risky: it instructs users to run a shell installer that copies and enables SessionStart hooks from a local home directory into project trees, and those hooks automatically inject agent behavior on session start. That pattern is convenient but enables local co

The fragment is documentation and a benign example, but it demonstrates a noteworthy supply-chain risk: automatic execution of repository-provided hook scripts and agent-driven shell execution. There is no direct evidence of malware in the shown files, but the pattern enables an attacker with the ability to modify repository contents (or trick developers into pulling malicious commits) to execute arbitrary code on contributor machines. Recommend disabling automatic execution or requiring explicit approval, auditing hook/script contents, restricting commit rights for hooks, and sandboxing hook execution.

The code implements a legitimate plugin hook pattern that executes an external script on session start, driven by an environment variable. While common, it introduces supply-chain and runtime risks if the invoked script is untrusted or not integrity-checked. Implement integrity verification, restricted execution, and least-privilege safeguards to reduce risk.