team-routing
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill ingests untrusted data from the local git environment which could be manipulated to influence logic.
- Ingestion points: Branch names and file paths are extracted in Phase 1 of SKILL.md.
- Boundary markers: Absent. There are no instructions to the agent to treat filenames or branch names as data only.
- Capability inventory: The skill executes shell commands (
git diff,gh pr list) and performs Notion API queries based on the extracted data. - Sanitization: Absent. The skill does not validate or sanitize extracted keywords before use in database filters or shell commands.
- Command Execution (SAFE): The skill utilizes standard developer tools to gather context.
- Evidence: Subprocess calls to
git diff,gh pr list, andjqare used to determine domain context and check reviewer availability in SKILL.md Phases 1 and 4.
Audit Metadata