pr-retro
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses user-supplied input from
$ARGUMENTS(specifically the--baseflag) to construct shell commands such asgit log,git diff, andgit rev-list. Without proper sanitization by the executing agent, this interpolation could be exploited for command injection if a malicious branch name containing shell metacharacters is provided. - [PROMPT_INJECTION]: The skill processes untrusted data from the git environment, including commit messages and file diffs. This creates a surface for indirect prompt injection (Category 8), where an attacker could embed instructions in a commit message or code comment to influence the agent's analysis or override its logic.
- Ingestion points: Step 1 (
git log,git diff) and Step 7 (git diff). - Boundary markers: Absent. The skill does not use specific delimiters or instructions to ignore embedded prompts in the analyzed data.
- Capability inventory: The skill uses
Bash,Read,Glob, andGrep, and it has the capability to write JSON snapshots to the local file system (.history/pr-retros/). - Sanitization: Absent. No explicit filtering or escaping of git output is specified before the AI processes it.
- [DATA_EXFILTRATION]: The skill performs sensitive operations such as scanning for hardcoded secrets and writing snapshots to a local directory. However, these are local operations intended for pre-PR auditing and historical tracking, with no detected network calls to external domains.
Audit Metadata