coregit
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to use
npx coregit-wizard@latestfor user onboarding, which downloads and executes the latest version of a package from the npm registry. While this is a vendor-owned package and npm is a well-known service, executing unpinned remote code is a practice that introduces minor supply chain risk. - [COMMAND_EXECUTION]: The skill includes a
cgt exectool which allows the agent to run arbitrary shell commands within a project workspace. This powerful capability increases the potential impact of any instructions derived from untrusted repository content. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process external code and documentation from git repositories. 1. Ingestion points: Data enters the context via
cgt blob,cgt search,cgt semantic-search, and various wiki-related read commands. 2. Boundary markers: The instructions do not specify any delimiters or warnings to the agent to ignore instructions embedded in the repository files. 3. Capability inventory: The agent has access to arbitrary shell execution (cgt exec), network operations (curl), and repository write access (cgt commit). 4. Sanitization: No sanitization, escaping, or validation of the fetched repository content is mentioned before it is processed by the agent.
Audit Metadata