commit-helper

Pass

Audited by Gen Agent Trust Hub on Mar 22, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute standard git commands (git diff) for code review and runs a local Python utility script (scripts/validate_commit.py) to check the syntax of generated commit messages.
  • [PROMPT_INJECTION]: The skill processes untrusted data from the codebase through git diff. While this presents a surface for indirect prompt injection, the ingested content is used exclusively for generating descriptive text and is not interpolated into executable logic or administrative commands. No boundary markers are used for the git diff output, but the risk is minimized by the skill's narrow functional scope.
  • [SAFE]: No obfuscation, data exfiltration, or unauthorized persistence mechanisms were found. The skill does not attempt to download external scripts or install third-party packages.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 22, 2026, 06:15 PM
Security Audit — agent-trust-hub — commit-helper