autonomous-dev
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses restrictive language and authoritative markers such as 'NON-NEGOTIABLE RULES', 'MUST NOT skip', and 'MANDATORY' to enforce its internal workflow, which mimics behavior override patterns seen in prompt injection attacks.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the ingestion of untrusted data from GitHub issues. Specifically, it is designed to parse issue bodies for a '## Pre-existing Changes' section and execute 'git apply' or 'git cherry-pick' on the contained diffs or branch references.
- Ingestion points: GitHub issue body fetched via 'gh issue view'.
- Boundary markers: Absent; the skill relies on simple markdown headers which can be easily spoofed by an external contributor.
- Capability inventory: The skill has the capability to execute shell commands ('git apply', 'npm test') that will run the injected code during the local verification step.
- Sanitization: There is no evidence of sanitization or validation for the diff content before it is applied to the codebase.
- [COMMAND_EXECUTION]: The skill performs extensive terminal operations including git worktree management, dependency installation ('npm install'), and GitHub CLI interactions. It also references a strategy to bypass bot detection using a 'gh-as-user.sh' script to make automated PR comments appear as if they came from a human user.
Audit Metadata