autonomous-common
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection in the
hooks/verify-completion.shscript. - Ingestion points: Pull request comment bodies are retrieved from GitHub using the
gh api graphqlcommand inhooks/verify-completion.sh. - Boundary markers: The retrieved comment text is interpolated directly into the
systemMessagefield of the hook's JSON response without any delimiters or instructions for the agent to ignore embedded commands. - Capability inventory: The skill possesses significant capabilities, including the ability to modify files, commit changes, and interact with the GitHub API across multiple scripts.
- Sanitization: The script performs basic truncation by only including the first 80 characters of the comment, which reduces the potential for long payloads but does not prevent concise injection attempts.
- [COMMAND_EXECUTION]: The skill relies on a suite of shell scripts to manage Git operations and GitHub interactions. While the scripts demonstrate security best practices—such as using
jqwith argument binding (--arg), sanitizing identifiers withsed, and passing variables toawkviaENVIRON—the inherent complexity of shell-based command assembly for tool inputs presents a surface for potential execution issues if sanitization is bypassed.
Audit Metadata