Skills
skills/cartridge-gg/docs/create-pr/Gen Agent Trust Hub

create-pr

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill implements a dangerous feedback loop where it ingests untrusted external data and possesses high-privilege write capabilities.
  • Ingestion points: scripts/poll-pr.sh and scripts/triage-pr.sh fetch the bodies of issue comments, review comments, and PR reviews using the GitHub API.
  • Boundary markers: Absent. Instructions in SKILL.md (Step 13) tell the agent to "read the review body and any inline comments carefully" and "Address feedback" without any delimiters or instructions to ignore embedded commands.
  • Capability inventory: The skill allows the agent to execute git commit and git push (Step 13) and even gh pr merge (Step 15), providing a direct path for an attacker to land code in the repository.
  • Sanitization: Absent. No filtering or validation is performed on the content retrieved from GitHub before it is used to influence the agent's coding decisions.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 08:22 AM