cc-commit-msg

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFE
Full Analysis
  • [PROMPT_INJECTION]: The skill ingests untrusted data in the form of git diff output to summarize changes. This presents an indirect prompt injection surface where instructions hidden in the codebase could attempt to manipulate the generated commit message. However, the skill maintains a very narrow operational scope and specific output formatting rules which limit the effectiveness of such attacks.
  • [COMMAND_EXECUTION]: The skill generates shell commands intended for the user to copy and paste. It correctly identifies and mitigates the risk of shell expansion by wrapping the commit message body in a quoted heredoc (<<'EOF'). This ensures that the shell treats the commit message as a literal string, preventing the execution of command substitutions (e.g., $(...)) or variable expansions that might be present in the diff content.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 03:34 AM
Security Audit — agent-trust-hub — cc-commit-msg