stage-chapters
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes several shell commands to perform its core functions.
- It runs
which stagereviewto check for the presence of the required CLI tool. - It runs
git rev-parse --is-inside-work-treeto verify the execution context is a git repository. - It executes
stagereview prepto generate diff data andstagereview showto launch a local review interface. - [EXTERNAL_DOWNLOADS]: The skill instructions advise the user to install the
stagereviewpackage globally via npm (npm install -g stagereview) if the command is not found. This is a legitimate dependency for the skill's functionality. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted data from the local environment.
- Ingestion points: The skill reads git commit messages and diff hunks from a temporary file generated by the
prepcommand. - Boundary markers: While the data is delimited by headers like
=== COMMIT MESSAGES ===and=== HUNKS ===, there are no specific instructions for the agent to ignore or escape instructions that might be embedded within these git objects. - Capability inventory: The skill possesses the ability to execute shell commands and write to the file system via
mktempandcatheredocs. - Sanitization: The instructions do not specify any sanitization or validation of the content retrieved from the git repository before it is processed by the LLM.
Audit Metadata