coffee-break
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted content from workspace memory files (ai-workspace/MEMORY.md and internal agent memory directories) to determine its logic flow without using boundary markers or sanitization. Evidence: 1. Ingestion points: .claude/projects/ and MEMORY.md; 2. Boundary markers: Absent; 3. Capability inventory: git commit, git push, and shell script execution; 4. Sanitization: Absent.
- [COMMAND_EXECUTION]: The skill executes git commands (status, commit, push) to maintain session persistence.
- [COMMAND_EXECUTION]: References a local environment script named no-commit-primary-worktree.sh to conditionally block filesystem writes.
- [DATA_EXFILTRATION]: Performs repository synchronization via git push to save session state to an external upstream server, which is the primary intended function of the skill.
Audit Metadata