Skills
skills/camacho/ai-skills/local-merge/Gen Agent Trust Hub

local-merge

Pass

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: Input validation for branch names occurs too late in the execution flow. The BRANCH and TARGET variables are used in git fetch and git rev-list commands in Phase 1a before the case validation statement in Phase 1b is ever reached.
  • [COMMAND_EXECUTION]: Shell command injection vulnerability in the MESSAGE parameter. The commit message input is interpolated into the git merge command in Phase 1b (git -C "$MERGE_DIR" merge FETCH_HEAD -m "$MESSAGE") without any validation for shell metacharacters, allowing an attacker to execute arbitrary commands.
  • [COMMAND_EXECUTION]: Shell command injection vulnerability in the PRIMARY parameter. The path provided for the primary worktree is used in multiple git -C "$PRIMARY" commands throughout Phase 2 without sanitization, which can be exploited to run arbitrary shell commands by crafting the path string.
Audit Metadata
Risk Level
SAFE
Analyzed
May 10, 2026, 03:33 PM