commit
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains a block that incorporates user-provided arguments ($ARGUMENTS) and explicitly states that these instructions "override the standard workflow when conflicts arise." This provides a direct path for prompt injection where a user could potentially command the agent to bypass the skill's logic or security constraints.
- [COMMAND_EXECUTION]: The skill uses the Bash tool with a restricted set of allowed git subcommands (e.g., git status, git diff, git commit). This allows the agent to modify the filesystem and read repository contents. The instructions include a security-focused directive to avoid using subshells or heredocs in git commands to ensure the agent's safety filters function correctly.
- [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it reads and processes data from the repository. 1. Ingestion points: The agent reads code and history via git status, git diff, and git log. 2. Boundary markers: No explicit boundary markers or "ignore embedded instructions" warnings are used when processing git output. 3. Capability inventory: The agent can execute git commands and perform file operations within the /tmp/ directory. 4. Sanitization: No sanitization or filtering is performed on the output of git commands before it is processed by the model.
Audit Metadata