verify-before-commit
Pass
Audited by Gen Agent Trust Hub on Jun 3, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute various shell commands for repository maintenance, including type-checking, linting, and testing (e.g.,
npx,npm,go). - [COMMAND_EXECUTION]: Shell redirection is used to update local files, such as appending to the log file via
echo "promoted" >> llmwiki/wiki/log.md. - [DYNAMIC_EXECUTION]: The specific commands to be run are dynamically determined at runtime by inspecting project files like
package.jsonandgo.mod. - [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect injection if an attacker modifies the project's configuration files (e.g.,
package.jsonscripts) to include malicious commands, which the agent would then execute as part of the verification process. - Ingestion points:
package.json,go.mod(as described in SKILL.md steps 1-3). - Boundary markers: Absent; the skill does not use delimiters or warnings when processing detected commands.
- Capability inventory: Subprocess execution via
RUN:tags and file system write operations. - Sanitization: Absent; the skill blindly executes detected command strings.
Audit Metadata