review
Warn
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to take whatever the user provides as a 'fixed point' (commit, branch, or tag) and "pass it through" to shell commands like
git diff <fixed-point>...HEADandgit log <fixed-point>..HEAD. This creates a direct command injection vulnerability if a user provides a string containing shell metacharacters or additional commands (e.g.,; rm -rf / ;). - [PROMPT_INJECTION]: The skill possesses a significant indirect prompt injection surface by design. It ingests untrusted data from the repository's code diffs, issue tracker results, and specification files, then interpolates this content into the instructions for 'Standards' and 'Spec' sub-agents.
- Ingestion points: Git diff output, commit message issue references, and files found under
docs/,specs/, or.scratch/(SKILL.md Step 2 and 4). - Boundary markers: Absent. The prompts sent to the sub-agents do not use delimiters or instructions to ignore embedded commands within the diff or spec content.
- Capability inventory: The skill uses the
Agenttool to spawn sub-agents and executes local shell commands viagit. - Sanitization: None. The instructions explicitly state "Don't be opinionated; pass it through," which discourages the agent from validating or escaping the input before processing it.
Audit Metadata