ship
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection because it reads and follows instructions from untrusted repository files:
- Ingestion points: The skill reads rules from
AGENTS.mdand analyzes the content of branch diffs (SKILL.md). - Boundary markers: Absent; there are no explicit delimiters used to separate the skill's logic from the data found in the repository files.
- Capability inventory: The skill has the capability to execute shell commands (
nr), manage git history, and interact with the GitHub API (gh). - Sanitization: Absent; the skill does not sanitize or validate the instructions found in
AGENTS.mdbefore adopting them as part of its execution logic. - [COMMAND_EXECUTION]: The skill executes development lifecycle commands (
nr test,nr lint,nr typecheck,nr format:check) and system binaries (git,gh). These actions are standard for release automation but depend on the integrity of the scripts defined in the repository. - [DATA_EXFILTRATION]: The skill performs legitimate network operations to synchronize code with remote hosts using
git pushandgh pr create. These actions are necessary for the 'ship' functionality and occur within the developer's authorized environment.
Audit Metadata