gsd-ship
Warn
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill's functionality includes tracking reviews and preparing merges, which requires processing content from pull request descriptions and comments. This external data could contain instructions designed to manipulate the agent's behavior during the critical 'ship' phase.
- Ingestion points: Pull request comments, review feedback, and PR descriptions.
- Boundary markers: Absent. The skill does not provide instructions to separate or ignore instructions within external data.
- Capability inventory: Branch pushing, PR creation, and spawning of additional agents.
- Sanitization: None. The skill does not validate the content of the reviews before acting upon them.
- [DYNAMIC_EXECUTION]: The skill is configured to execute a workflow from a fixed local path ('@/mnt/local-analysis/workspace-hub/.codex/get-shit-done/workflows/ship.md'). Loading instructions from a file outside of the skill's own manifest is a form of dynamic instruction execution that could be exploited if the target file is compromised or modified by unauthorized local processes.
- [PROMPT_INJECTION]: The instruction to 'pick a reasonable default' when user input is unavailable ('Execute mode fallback') encourages the agent to make autonomous decisions for actions that typically require human oversight, increasing the risk of unintended consequences during the shipping process.
Audit Metadata