skills/ecology9191/skills/review/Gen Agent Trust Hub

review

Warn

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to take whatever the user provides as a 'fixed point' (commit, branch, or tag) and "pass it through" to shell commands like git diff <fixed-point>...HEAD and git log <fixed-point>..HEAD. This creates a direct command injection vulnerability if a user provides a string containing shell metacharacters or additional commands (e.g., ; rm -rf / ;).
  • [PROMPT_INJECTION]: The skill possesses a significant indirect prompt injection surface by design. It ingests untrusted data from the repository's code diffs, issue tracker results, and specification files, then interpolates this content into the instructions for 'Standards' and 'Spec' sub-agents.
  • Ingestion points: Git diff output, commit message issue references, and files found under docs/, specs/, or .scratch/ (SKILL.md Step 2 and 4).
  • Boundary markers: Absent. The prompts sent to the sub-agents do not use delimiters or instructions to ignore embedded commands within the diff or spec content.
  • Capability inventory: The skill uses the Agent tool to spawn sub-agents and executes local shell commands via git.
  • Sanitization: None. The instructions explicitly state "Don't be opinionated; pass it through," which discourages the agent from validating or escaping the input before processing it.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 14, 2026, 10:47 AM
Security Audit — agent-trust-hub — review