agentic-jujutsu

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill performs shell-level version control operations such as git push, commit, and branch management via the jj.execute method and JjWrapper API.
  • [EXTERNAL_DOWNLOADS]: Fetches the agentic-jujutsu package and its dependencies (e.g., @qudag/napi-core) from the NPM registry, which is a well-known package service.
  • [REMOTE_CODE_EXECUTION]: Utilizes npx agentic-jujutsu to download and execute the package logic directly from the remote NPM registry during setup.
  • [PROMPT_INJECTION]: Implements an indirect prompt injection surface through its 'ReasoningBank' self-learning loop.
  • Ingestion points: Untrusted task descriptions enter the context via jj.startTrajectory(task) and jj.getSuggestion(task) in SKILL.md and references/capabilities-and-api.md.
  • Boundary markers: None identified in the provided documentation or code snippets.
  • Capability inventory: The skill can execute shell commands (jj.execute), create branches, and manage commits.
  • Sanitization: No explicit sanitization or validation of the input task descriptions is shown before they influence the getSuggestion output used for subsequent operations.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 06:40 AM
Security Audit — agent-trust-hub — agentic-jujutsu