auto-ship

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill implements a PreToolUse hook for the Bash tool. This hook executes a local shell script (guard-ship-irreversibles.sh) whenever a shell command is invoked. This is a defensive mechanism designed to enforce safety constraints at the tool layer.
  • [COMMAND_EXECUTION]: The hook logic dynamically searches for the guard script in multiple locations, including project-local directories (.claude/skills/, .agents/skills/) and the user's home directory. This allows for both global and project-specific safety configurations.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from the codebase, specifically git commit messages and diffs, to generate release notes.
  • Ingestion points: Reads git commit history and repository diffs during Phase 0 (Preflight) and Phase 2 (Prepare release artifacts).
  • Boundary markers: No explicit instructions are provided to the agent to treat diff/commit content as untrusted data or to use delimiters to prevent instruction leakage.
  • Capability inventory: The skill possesses high capabilities including Bash (shell access), Write/Edit (file system modification), and Workflow (process management).
  • Sanitization: Security relies on the use of a secondary adversarial-verify skill and a mandatory human sign-off (AskUserQuestion) before any irreversible deployment or publishing action is taken.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 09:15 AM
Security Audit — agent-trust-hub — auto-ship