create-branch
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using the Bash tool. In SKILL.md (Step 4), it instructs the agent to run 'git checkout -b ' using a name provided by the user. If the user provides a name containing shell metacharacters (such as semicolons, backticks, or pipes), the agent may execute those commands. This is exacerbated by the instruction in Step 3 to use user-provided names 'as-is'.
- [COMMAND_EXECUTION]: The script 'scripts/detect-base-branch.sh' executes another script via a relative path ('../../shared/scripts/detect-base-branch.sh') that resides outside of the skill's own directory structure. This creates a dependency on external files that are not part of the skill package.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes untrusted data from $ARGUMENTS and confirmation prompts.
- Ingestion points: $ARGUMENTS variable in SKILL.md and user responses to the branch confirmation prompt in Step 3.
- Boundary markers: $ARGUMENTS is enclosed within tags.
- Capability inventory: The skill uses the Bash tool to perform git operations and execute local scripts.
- Sanitization: While the skill suggests a kebab-case conversion for inferred names, it explicitly waives sanitization for user-provided custom names.
Audit Metadata