branch-cleanup
Pass
Audited by Gen Agent Trust Hub on Jul 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs several shell-based operations to manage git state. These include inventorying branches, deleting local and remote refs (
git branch -D,git push origin --delete), and removing worktrees (git worktree remove). These are standard administrative tasks and are guarded by user approval prompts. - [PROMPT_INJECTION]: The skill demonstrates an indirect prompt injection surface by ingesting and displaying data from the repository environment that may be controlled by other users.
- Ingestion points: Branch names, commit subjects, and PR titles are pulled into the agent's context using
git log,git for-each-ref, andgh pr list(found inreferences/classify.md). - Boundary markers: The output format in
SKILL.mduses markdown tables to display this data but lacks explicit delimiters or instructions to the agent to ignore any commands contained within the data fields. - Capability inventory: The skill has the capability to perform destructive file system and remote repository modifications (
git branch -D,git push --delete,git worktree remove) based on the classification of this data. - Sanitization: There is no evidence of sanitization for commit messages or branch names, which are interpolated directly into the summary output.
Audit Metadata