preqstation
Warn
Audited by Gen Agent Trust Hub on Jun 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements an autonomous workflow where the AI agent is explicitly instructed to perform git operations, such as commits, pushes, and pull request creation, without seeking user approval. This behavior is driven by remote configuration and task data fetched via the PREQSTATION API.
- [COMMAND_EXECUTION]: The
scripts/preqstation-api.shhelper script contains thepreq_review_taskfunction, which utilizes theevalcommand to execute testing, building, and linting instructions provided as arguments. This allows for arbitrary command execution on the host machine if the commands originate from an untrusted or compromised remote task source. - [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection because it ingests untrusted data from an external API (
preq_get_task) and a local file (.preqstation-prompt.txt) to guide the agent's actions. - Ingestion points: Remote task details from the PREQSTATION API and content from the
.preqstation-prompt.txtfile. - Boundary markers: Absent; the agent is instructed to load and treat these external files as the primary source of truth for its objectives.
- Capability inventory: Includes git repository modification, pull request creation, shell command execution via the
evalhelper, and API state mutations. - Sanitization: No evidence of sanitization, validation, or escaping of remote content was found in the instructions.
- [EXTERNAL_DOWNLOADS]: The skill's documentation provides commands for installing and updating the package as a Claude Code plugin directly from the author's public GitHub repository (
https://github.com/sonim1/preqstation-skill).
Audit Metadata