pr-creator
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs shell command execution using standard repository management tools. Evidence: It executes
gitfor repository state and diffing, as well asghandglabfor interacting with GitHub and GitLab hosting platforms. - [DATA_EXFILTRATION]: This skill transmits repository data, such as branch diffs and commit history, to external hosting providers (GitHub, GitLab, Bitbucket). This behavior is documented, aligns with the primary purpose of creating pull requests, and targets well-known services.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it uses repository content (diffs and logs) to draft PR descriptions. Evidence: (1) Ingestion points: Data is read via
git logandgit diffinSKILL.md. (2) Boundary markers: No delimiters or ignore instructions are applied to the ingested diff content. (3) Capability inventory: The skill can push branches and create pull requests. (4) Sanitization: The risk is mitigated by a mandatory human-in-the-loop preview and confirmation step (Step 7), ensuring user oversight of all generated content.
Audit Metadata