pr-split
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the local installation of the Git CLI and GitHub CLI (
gh) to perform branch management, code staging, rebasing, and PR creation. These commands are executed based on the user's local repository state and are essential for the skill's primary functionality. - [DATA_EXFILTRATION]: The skill performs network operations using
git pushandgh pr create. These operations target the user's configured remote repository (typically GitHub) and are used to upload branch content and create metadata for Pull Requests. This is standard behavior for development-focused skills and targets whitelisted domains. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it analyzes external data in the form of branch diffs and commit messages.
- Ingestion points: In Phase 1.1, the agent gathers the full diff and commit history of the feature branch being analyzed.
- Boundary markers: There are no specific instructions or delimiters provided to the agent to treat content within the diffs as untrusted data or to ignore embedded instructions.
- Capability inventory: The agent has the capability to execute shell commands (git/gh) and trigger other internal skills (pr-review, code-fixup).
- Sanitization: No explicit sanitization or filtering is applied to the content of the files being read before they are processed by the agent's logic.
Audit Metadata