hotfix
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data and interpolates it directly into sub-agent prompts.\n
- Ingestion points: The
$ARGUMENTSvariable inSKILL.md(line 15) captures user-provided bug descriptions or issue links.\n - Boundary markers: While
<bug_description>tags are present in Phase 1 ofSKILL.md, there are no instructions to the sub-agents to ignore or escape instructions contained within that data.\n - Capability inventory: The skill can invoke codebase review agents, execute git commands, and perform file deletions (
rm -rf) as seen inSKILL.md.\n - Sanitization: No sanitization or content validation is implemented for the user-provided input before it is used in Phase 1 and Phase 2.\n- [COMMAND_EXECUTION]: The skill uses inferred slugs derived from potentially malicious user input in shell commands.\n
- Evidence: Phase 2 in
SKILL.mdinstructs the agent to create a git branch using a slug derived from the bug description:git checkout -b hotfix/<slug>. A malicious input could attempt to influence the shell command structure if the agent fails to properly sanitize the inferred slug.
Audit Metadata