github
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for the agent to use git and gh CLI tools to automate repository tasks.
- Evidence: SKILL.md and references/stacked-pr-workflow.md contain templates for
git rebase --onto,git push --force-with-lease, andgh pr merge. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by interpolating external metadata into command-line arguments (Category 8).
- Ingestion points: Branch names, pull request titles, and PR numbers are ingested from the repository environment in SKILL.md and references/stacked-pr-workflow.md.
- Boundary markers: The skill instructions do not define boundary markers or include directives to ignore embedded instructions in the ingested content.
- Capability inventory: The agent is instructed to perform subprocess execution of git and gh tools using these external strings.
- Sanitization: There is no requirement or logic provided to sanitize or escape user-controlled strings like
<PR title>before they are executed in a shell context.
Audit Metadata