daily-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) due to the processing of external data. \n
- Ingestion points: GitHub commit messages are retrieved via the
gh search commitscommand in Step 3. \n - Boundary markers: Absent. The instructions do not specify any delimiters or safety warnings to distinguish between user-provided data and system instructions when processing the commit history. \n
- Capability inventory: The skill is granted
Write,Edit, andBash(gh:*)permissions. This combination allows an attacker who successfully injects instructions into a commit message to potentially modify local files, overwrite the journal, or perform unauthorized GitHub operations. \n - Sanitization: Absent. There is no logic provided to sanitize or filter the content of commit messages before the agent summarizes them. \n
- Command Execution (MEDIUM): The skill requests the
Bash(gh:*)tool. While intended for commit searches, the broad glob patterngh:*could allow the agent to execute any GitHub CLI command (e.g., deleting repositories or managing secrets) if tricked by an injection.
Recommendations
- AI detected serious security threats
Audit Metadata