Skills
skills/tibsfox/gsd-skill-creator/refinery-merge/Gen Agent Trust Hub

refinery-merge

Pass

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill constructs and executes shell commands for git operations (e.g., git checkout {mr.sourceBranch}) and testing (e.g., npm test). Since the branch names and target branches are sourced from external merge requests, the lack of explicit sanitization or validation creates a surface for command injection if an adversary provides a malicious branch name.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and acts upon data from 'polecat' agents or external merge request beads. Malicious instructions could potentially be embedded in metadata to influence the agent's automated merge logic.
  • Ingestion points: Merge request data (branch names, IDs, status) is retrieved from the .chipset/state/ directory via the StateManager (SKILL.md).
  • Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are used when interpolating merge request data into command strings.
  • Capability inventory: The skill possesses the capability to execute shell commands, perform git rebase/merge/push operations, and execute project-specific test suites (SKILL.md, references/boundaries.md).
  • Sanitization: There is no evidence of sanitization, escaping, or schema validation for external branch names or bead IDs before they are used in the merge pipeline.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 9, 2026, 08:34 PM
Security Audit — agent-trust-hub — refinery-merge