qa-commit

================================================================================

🔴 VERDICT: HIGH

This skill presents a HIGH risk due to potential command injection and indirect prompt injection vulnerabilities. It relies heavily on 'MCP Tools' such as 'Shell', 'SemanticSearch', 'Grep', 'Glob', and 'Browser MCP', which process dynamic input from the commit context. Without explicit sanitization of this input, an attacker could inject malicious commands or prompts.

Total Findings: 3

🔴 HIGH Findings: • Command Injection via Shell Tool

• Line 44: The skill instructs to run npm run test -- --grep "[feature name]". If [feature name] is controlled by an attacker (e.g., through a malicious commit message or QA contract), it can lead to arbitrary shell command execution. For example, [feature name] could be injected as "; rm -rf / -- ". • Indirect Prompt Injection via SemanticSearch/Grep/Glob
• Line 54, 60, 74, 79: The skill passes dynamic input like [endpoint], "interface.*Response", [ComponentName], and [ComponentName]*.stories.tsx to SemanticSearch, Grep, and Glob tools. If these inputs are attacker-controlled, they could be used to inject malicious prompts into the underlying LLM-powered tools or manipulate their behavior in unintended ways.

🟡 MEDIUM Findings: • Potential Data Exfiltration via Browser Screenshots

• Line 84: The Browser MCP tool includes browser_take_screenshot for evidence. While the skill itself does not instruct exfiltration, if the captured screenshots contain sensitive information and are not handled securely by the agent (e.g., uploaded to an external server without user consent), it could lead to data exfiltration. This creates an opportunity for data leakage if the agent's subsequent actions are compromised.

🔵 LOW Findings: • No low findings.

ℹ️ TRUSTED SOURCE References: • No trusted source references.

================================================================================