ship-it
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements a standard software engineering workflow (Commit -> Push -> PR -> Merge -> Close Issue) using legitimate tools (
gitandgh). No malicious patterns, obfuscation, or unauthorized network access were detected. - [COMMAND_EXECUTION]: The skill uses the
Bash(git:*)andBash(gh:*)tools, which are explicitly listed in theallowed-toolsmanifest. The commands are scoped to repository management and do not attempt to access sensitive system files or execute arbitrary code. - [PROMPT_INJECTION]: The instructions do not contain any bypass markers, role-play injections, or attempts to override the agent's core safety instructions.
- [SAFE]: While the skill interpolates user-provided text into commit messages and PR bodies, the provided examples use quoted heredocs (
cat <<'EOF'). This is a defensive programming practice that prevents the shell from interpreting special characters or performing command substitution within the user-provided string.
Audit Metadata