ship
Warn
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The pull request creation process is vulnerable to argument injection. The skill interpolates the generated PR body into a shell command (
gh pr create --body \"$(...)\") without escaping double quotes. An attacker could craft a commit message containing double quotes to break out of the string and inject arbitrary flags or potentially execute additional commands.\n- [COMMAND_EXECUTION]: The helper scriptscripts/readiness.shis vulnerable to directory traversal. Project and branch names, derived from the git environment, are used to construct file paths (e.g.,$READINESS_DIR/$project/$branch.jsonl) without validation against..components. This allows a malicious or compromised repository to write state files or append data to arbitrary locations on the filesystem.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests data from the git commit history to generate descriptions, providing a vector for attackers to influence the agent's output and subsequent actions.\n - Ingestion points: Git commit history (
git log --oneline) and readiness logs used to build the PR description inSKILL.md(Step 5).\n - Boundary markers: Absent; untrusted commit messages are processed by the agent without delimiters or instructions to ignore embedded commands.\n
- Capability inventory: Branch pushing (
git push) and pull request creation (gh pr create).\n - Sanitization: None; the skill does not filter or escape content from the commit history before it is interpreted by the agent.\n- [PROMPT_INJECTION]: The
readiness.shscript is vulnerable to log poisoning and schema confusion. It constructs JSON log entries using string concatenation without escaping newlines or double quotes in the branch name. This allows an attacker to inject fake entries into the state log, potentially bypassing readiness checks or influencing the PR creation logic.
Audit Metadata