Skills
skills/yonderlab/kota.agent.skills/conventional-commit/Gen Agent Trust Hub

conventional-commit

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill executes npx git-cz, which fetches and runs a package from an untrusted third-party source (streamich). This represents an unverifiable dependency risk.
  • PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection. 1. Ingestion points: The agent reads untrusted content from git diff and git status (SKILL.md). 2. Boundary markers: Absent; there are no delimiters or warnings to ignore instructions within the diffed code. 3. Capability inventory: The skill can execute shell commands like git commit and git push (SKILL.md). 4. Sanitization: Absent; file content is used to logically group changes and write commit messages without filtering.
  • COMMAND_EXECUTION (SAFE): Standard git commands are used appropriately for the skill's intended functionality.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:35 PM