commit
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The
guide.mdfile instructs the agent to perform a validation check using the commandecho "{message}" | npx commitlint. This pattern is vulnerable to command injection if the generated commit message contains shell metacharacters such as backticks, semicolons, or pipes. Since the message is generated based on code diffs, an attacker could potentially influence the message content to trigger arbitrary command execution. - [REMOTE_CODE_EXECUTION]: The skill's documentation recommends the use of
npx commitlintfor validation. This command downloads and executes thecommitlintpackage from the NPM registry at runtime without a pinned version, which introduces supply chain risks and potential for executing untrusted remote code. - [EXTERNAL_DOWNLOADS]: The skill refers to the
AsiaOstrich/universal-dev-standardsrepository and external guides for its core logic. These are vendor-owned resources and do not represent a third-party risk beyond the author's own infrastructure, but they do involve fetching external content during operation.
Audit Metadata