skills/camacho/ai-skills/local-merge/Gen Agent Trust Hub

local-merge

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill provides defensive git workflow instructions focused on data integrity and state preservation. No malicious patterns, obfuscation, or unauthorized access attempts were detected.
  • [COMMAND_EXECUTION]: The skill utilizes git CLI commands. It includes a security-critical instruction to 'Validate refs before constructing shell commands', which effectively mitigates potential command injection from user-provided branch names or commit messages.
  • [DATA_EXFILTRATION]: Network operations are restricted to standard git functions (push, fetch, clone) interacting with the repository's configured remote. There is no evidence of unauthorized exfiltration of sensitive files or credentials.
  • [SAFE]: The skill's ingestion of external data (git history and diffs) was assessed for indirect prompt injection risk. The surface is well-contained as the skill does not execute the content of the repository or allow it to influence privileged actions.
  • Ingestion points: The skill reads status, ahead and behind counts, incoming commit log, and diff stat in Phase 2 of SKILL.md.
  • Boundary markers: None explicitly defined for repo content.
  • Capability inventory: Git push and worktree modification are documented in SKILL.md.
  • Sanitization: Ref validation is required before any command execution.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 09:50 AM
Security Audit — agent-trust-hub — local-merge