skills/steveclarke/dotfiles/ship/Gen Agent Trust Hub

ship

Warn

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The pull request creation process is vulnerable to argument injection. The skill interpolates the generated PR body into a shell command (gh pr create --body \"$(...)\") without escaping double quotes. An attacker could craft a commit message containing double quotes to break out of the string and inject arbitrary flags or potentially execute additional commands.\n- [COMMAND_EXECUTION]: The helper script scripts/readiness.sh is vulnerable to directory traversal. Project and branch names, derived from the git environment, are used to construct file paths (e.g., $READINESS_DIR/$project/$branch.jsonl) without validation against .. components. This allows a malicious or compromised repository to write state files or append data to arbitrary locations on the filesystem.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests data from the git commit history to generate descriptions, providing a vector for attackers to influence the agent's output and subsequent actions.\n
  • Ingestion points: Git commit history (git log --oneline) and readiness logs used to build the PR description in SKILL.md (Step 5).\n
  • Boundary markers: Absent; untrusted commit messages are processed by the agent without delimiters or instructions to ignore embedded commands.\n
  • Capability inventory: Branch pushing (git push) and pull request creation (gh pr create).\n
  • Sanitization: None; the skill does not filter or escape content from the commit history before it is interpreted by the agent.\n- [PROMPT_INJECTION]: The readiness.sh script is vulnerable to log poisoning and schema confusion. It constructs JSON log entries using string concatenation without escaping newlines or double quotes in the branch name. This allows an attacker to inject fake entries into the state log, potentially bypassing readiness checks or influencing the PR creation logic.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 14, 2026, 01:43 PM
Security Audit — agent-trust-hub — ship