jj-workflow
Fail
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill explicitly instructs the agent to bypass platform security constraints and environmental isolation.
- Evidence: The "Permission Requirements" section commands the agent to request
required_permissions: ["all"]and asserts that commands should never be run in the default sandbox. This is a privilege escalation attempt targeting the agent's execution environment. - [INDIRECT_PROMPT_INJECTION]: The skill defines a complex protocol for processing untrusted repository data without security boundaries.
- Ingestion points: The agent is instructed to read commit logs (
jj log) and code diffs (jj diff) from the repository in the "Description Check Protocol" section of SKILL.md. - Boundary markers: Absent. There are no instructions to use delimiters or ignore commands that might be embedded in the repository history or code changes.
- Capability inventory: The agent has the ability to execute shell commands, modify file history, and push data to remote servers (
jj git push). - Sanitization: No sanitization or validation is performed on the data ingested from the repository before the agent uses it to decide its next action.
- [COMMAND_EXECUTION]: The skill relies on and encourages the use of advanced shell pipelines that can be abused.
- Evidence: Examples include complex command sequences using process substitution and multiple pipes, such as `printf ... | cat
- <(jj log ...) | jj describe ... --stdin`, which are harder for users to audit for safety.
- [DATA_EXFILTRATION]: The skill provides instructions for interacting with and potentially hiding sensitive local configuration files.
- Evidence: The instructions include commands to untrack files like
local-config.jsonand directory patterns like.agents/**, which are common locations for credentials and internal agent state.
Recommendations
- AI detected serious security threats
Audit Metadata