commit
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is vulnerable to indirect prompt injection because it incorporates untrusted data from the local environment into the agent's decision-making process. ● Ingestion points: The command
git diff HEADreads the contents of all changed files, which could include malicious instructions planted by an attacker. ● Boundary markers: There are no boundary markers, delimiters, or system-level instructions provided to the agent to treat the diff output as data rather than instructions. ● Capability inventory: The skill explicitly allows the agent to executegit add -Aandgit commit, which are write operations that can be used to persist malicious changes or execute further commands if the agent is manipulated. ● Sanitization: No sanitization, filtering, or validation is performed on the output of the git commands before the agent processes them. - [Command Execution] (LOW): The skill's core functionality relies on executing shell commands (
git). While necessary for the stated purpose, this provides the agent with a direct interface to the underlying filesystem, which increases the impact of a successful prompt injection attack.
Recommendations
- AI detected serious security threats
Audit Metadata