contribute
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill accepts a feature branch name from user input and interpolates it directly into a bash command string ('git town hack {branch-name}'). This allows for arbitrary command injection if the user provides a branch name containing shell metacharacters such as semicolons, backticks, or pipe symbols.
- [PROMPT_INJECTION]: The 'Post-Execution Reflection' section instructs the agent to self-modify its own 'SKILL.md' file based on the outcome of its execution. This architectural pattern is vulnerable to persistent indirect prompt injection. Ingestion points: user-provided feature names and command outputs. Boundary markers: none. Capability inventory: 'Write', 'Edit', 'Glob', and 'Bash' tools. Sanitization: no validation or filtering of content before writing it back to the skill's instructions.
- [CREDENTIALS_UNSAFE]: The workflow involves running 'git remote get-url' and 'git config', which are commands that frequently return sensitive data such as repository access tokens or private server configurations, exposing these secrets to the agent's execution context.
Audit Metadata