commit
Warn
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands by interpolating variables directly into a command string, which is a known pattern for command injection vulnerabilities.
- Evidence: In
SKILL.md, steps 2 and 3 instruct the agent to executegit-agent commit --intent "<intent>" --co-author "<model> <noreply@anthropic.com>". - Risk: If the
intentderived from the conversation or themodelname provided in arguments contains shell metacharacters like semicolons, backticks, or command substitution syntax, it could lead to arbitrary code execution in the shell environment. - [PROMPT_INJECTION]: The skill processes untrusted conversation data to generate command arguments, creating an indirect prompt injection surface.
- Ingestion points: User conversation is used to "Derive a one-sentence intent" (SKILL.md).
- Boundary markers: None. There are no instructions to the agent to treat the conversation as untrusted data or to ignore instructions embedded within it.
- Capability inventory: The skill uses the
Bashtool to executegit-agentandgitcommands. - Sanitization: Absent. There are no instructions to sanitize, escape, or validate the derived intent or model name before they are interpolated into the bash command.
Audit Metadata