pr
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from repository diffs and commit history to automate PR creation. This creates a surface for indirect prompt injection where malicious content within the analyzed files could attempt to influence the agent's PR classification or description.\n
- Ingestion points:
SKILL.md(Step 1: git diff review, Step 1.5: diff analysis, Step 1.6: Jira detection from logs/branches).\n - Boundary markers: The skill does not define specific delimiters or instructions to ignore embedded commands within the diff output.\n
- Capability inventory: The agent can execute
git checkout,git add,git commit, andgit pushvia the shell.\n - Sanitization: No sanitization or escaping of the diff content is performed before analysis.\n- [COMMAND_EXECUTION]: The skill interpolates agent-generated content into a shell command at Step 3 (
git commit -m \"<summary>\"). This pattern represents a surface for command injection if an indirect prompt injection successfully manipulates the summary to include shell metacharacters, potentially leading to the execution of arbitrary commands within the user's repository environment.
Audit Metadata