cc-commit-msg
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted data in the form of
git diffoutput to summarize changes. This presents an indirect prompt injection surface where instructions hidden in the codebase could attempt to manipulate the generated commit message. However, the skill maintains a very narrow operational scope and specific output formatting rules which limit the effectiveness of such attacks. - [COMMAND_EXECUTION]: The skill generates shell commands intended for the user to copy and paste. It correctly identifies and mitigates the risk of shell expansion by wrapping the commit message body in a quoted heredoc (
<<'EOF'). This ensures that the shell treats the commit message as a literal string, preventing the execution of command substitutions (e.g.,$(...)) or variable expansions that might be present in the diff content.
Audit Metadata