pull-request
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads untrusted data from git logs and diffs to generate PR content.
- Ingestion points: The skill executes
git logandgit diffand uses the output as context for drafting PR titles and bodies. - Boundary markers: No explicit delimiters or instructions are provided to the agent to ignore instructions embedded within the git data.
- Capability inventory: The agent can execute shell commands (
git push,gh pr create) and write files. - Sanitization: There is no mention of sanitizing or escaping the data retrieved from the repository before processing it.
- [COMMAND_EXECUTION]: The PR title is interpolated into a shell command string:
gh pr create --title "<title>". If the agent generates a title containing shell control characters (e.g., backticks or semicolons) without proper escaping, it could lead to unintended command execution in the user's terminal environment.
Audit Metadata