cc-ship
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: Uses git for commit log analysis and curl for health check verification during the smoke testing phase of deployment.
- [PROMPT_INJECTION]: The release process is governed by status flags and data retrieved from external files like impl-checklist.yaml and review-report, creating a surface for indirect prompt injection. • Ingestion points: Data is ingested from impl-checklist.yaml and review-report as described in SKILL.md. • Boundary markers: There are no defined delimiters or instructions to ignore embedded commands within the ingested files. • Capability inventory: The agent performs file system operations via git and network operations via curl. • Sanitization: The skill does not specify any sanitization, validation, or escaping protocols for the content read from external reports.
- [EXTERNAL_DOWNLOADS]: References external security audits conducted through package managers like npm and pip.
Audit Metadata