pre-commit
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
pre-commitCLI and Bun's shell execution API ($andspawn) to perform operations such as installing git hooks, running validations on staged files, and managing hook environments. - [EXTERNAL_DOWNLOADS]: Fetches configuration files and installation scripts from well-known repositories on GitHub, including the official
pre-commitorganization andterraform-linters. - [REMOTE_CODE_EXECUTION]: Implements standard installation patterns for development tools (e.g., the
tflintinstaller) and uses thepre-commit try-repocommand to verify hook configurations from remote repositories as part of testing workflows. - [PROMPT_INJECTION]: The skill possesses an indirect injection surface as it processes
.pre-commit-config.yamlfiles to execute hooks. While this is the intended behavior of the framework, it represents a surface where an agent's actions could be influenced by instructions embedded in a project's configuration. - Ingestion points:
.pre-commit-config.yaml(processed inPreCommitManager.tsandHookValidator.ts) - Boundary markers: Absent; the agent is instructed to parse and act upon the configuration content.
- Capability inventory: Subprocess execution via Bun, file system writes, and git hook modification.
- Sanitization: None; the logic assumes the configuration originates from a trusted project environment.
- [SAFE]: All identified behaviors and external references are consistent with the skill's primary purpose of providing a development automation framework. No malicious patterns or obfuscation techniques were detected.
Audit Metadata