gh-create-pr
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell commands using
gitandghto inspect repository status, push branches, and create Pull Requests. - [COMMAND_EXECUTION]: Branch names, Pull Request titles, and descriptions are interpolated into shell commands. While this presents a surface for command injection if repository metadata is maliciously crafted, it is consistent with the primary purpose of the skill.
- [SAFE]: All network operations are directed towards the repository's configured 'origin' (GitHub), and the tool dependencies (
git,gh) are standard, well-known developer utilities. - [SAFE]: The suggestion to use broad permissions (
required_permissions: ["all"]) for troubleshooting is a configuration hint rather than an inherent vulnerability in the skill's logic.
Audit Metadata