auto-ship
Pass
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a
PreToolUsehook for the Bash tool. This hook executes a local shell script (guard-ship-irreversibles.sh) whenever a shell command is invoked. This is a defensive mechanism designed to enforce safety constraints at the tool layer. - [COMMAND_EXECUTION]: The hook logic dynamically searches for the guard script in multiple locations, including project-local directories (
.claude/skills/,.agents/skills/) and the user's home directory. This allows for both global and project-specific safety configurations. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from the codebase, specifically git commit messages and diffs, to generate release notes.
- Ingestion points: Reads git commit history and repository diffs during Phase 0 (Preflight) and Phase 2 (Prepare release artifacts).
- Boundary markers: No explicit instructions are provided to the agent to treat diff/commit content as untrusted data or to use delimiters to prevent instruction leakage.
- Capability inventory: The skill possesses high capabilities including
Bash(shell access),Write/Edit(file system modification), andWorkflow(process management). - Sanitization: Security relies on the use of a secondary
adversarial-verifyskill and a mandatory human sign-off (AskUserQuestion) before any irreversible deployment or publishing action is taken.
Audit Metadata