difit
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill attempts to automatically install the
difitpackage from the public npm registry (npm install -g difit) if it is not found on the system. This package is from a third-party source not included in the trusted vendors list. - [COMMAND_EXECUTION]: The skill uses the Bash tool to execute system commands. It constructs shell commands by directly interpolating user-provided arguments such as branch names, commit hashes, and URLs (e.g.,
difit <commit>,difit --pr <url>), which poses a risk of command injection. - [COMMAND_EXECUTION]: The skill performs global system modifications by installing software via
npm install -gand manages long-running background processes for a local web server. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes external data from GitHub Pull Requests without sufficient safeguards.
- Ingestion points: Data is fetched from external PR URLs as described in
INSTRUCTIONS.mdvia the--prflag. - Boundary markers: There are no delimiters or instructions provided to the agent to disregard malicious instructions embedded in the diff or PR content.
- Capability inventory: The skill has access to the
Bashtool, enabling it to execute commands and start network-accessible services. - Sanitization: No validation or sanitization of input arguments or fetched content is implemented.
Audit Metadata