branch-cleanup

Pass

Audited by Gen Agent Trust Hub on Jul 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill performs several shell-based operations to manage git state. These include inventorying branches, deleting local and remote refs (git branch -D, git push origin --delete), and removing worktrees (git worktree remove). These are standard administrative tasks and are guarded by user approval prompts.
  • [PROMPT_INJECTION]: The skill demonstrates an indirect prompt injection surface by ingesting and displaying data from the repository environment that may be controlled by other users.
  • Ingestion points: Branch names, commit subjects, and PR titles are pulled into the agent's context using git log, git for-each-ref, and gh pr list (found in references/classify.md).
  • Boundary markers: The output format in SKILL.md uses markdown tables to display this data but lacks explicit delimiters or instructions to the agent to ignore any commands contained within the data fields.
  • Capability inventory: The skill has the capability to perform destructive file system and remote repository modifications (git branch -D, git push --delete, git worktree remove) based on the classification of this data.
  • Sanitization: There is no evidence of sanitization for commit messages or branch names, which are interpolated directly into the summary output.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 13, 2026, 05:20 PM
Security Audit — agent-trust-hub — branch-cleanup