smart-commit
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its core functionality.
- Ingestion points: Processes untrusted data from the filesystem, including filenames (git status), directory structures (find), and file contents (git diff).
- Boundary markers: Absent. The instructions do not specify any delimiters or safety prompts to prevent the agent from obeying instructions embedded within the files it is analyzing.
- Capability inventory: Has significant side-effect capabilities including git add, git commit, and git push to remote repositories.
- Sanitization: None. External file content is processed directly.
- Risk: A malicious repository could contain files named or structured in a way that tricks the agent into performing unauthorized actions, such as bypassing the security audit or pushing sensitive data to an attacker-controlled branch.
- [COMMAND_EXECUTION] (MEDIUM): The skill executes shell commands using filenames as arguments.
- Evidence: Commands like
git diff --cached --name-only | xargs grep ...andgit status --porcelain | grep ...are used. - Risk: Filenames containing shell metacharacters could potentially cause command injection or unexpected behavior, especially as xargs is used without the -0 delimiter safety.
- [EXTERNAL_DOWNLOADS] (MEDIUM): Critical logic depends on missing external files.
- Evidence: References to
references/security-checklist.mdandreferences/grouping-patterns.mdare present in the workflow but the files themselves are missing. - Risk: The security audit's completeness and the file grouping logic are unverifiable, potentially hiding malicious patterns or creating gaps in the promised protection.
Recommendations
- AI detected serious security threats
Audit Metadata