PR Workflow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill makes extensive use of shell command execution using the
gh(GitHub CLI) andgitbinaries. It performs sensitive actions such as creating, editing, and merging pull requests (gh pr create,gh pr merge --auto). - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). 1. Ingestion points: The skill reads untrusted data from the local repository via
git log(commit messages) andgit branch(branch names). 2. Boundary markers: No delimiters or protective instructions are used when the agent interpolates this data into the PR description body. 3. Capability inventory: The skill has full write access to the repository's PR lifecycle, including automated merging capabilities. 4. Sanitization: No sanitization or validation of the commit messages is performed before they are used to generate content. Analysis: An attacker capable of contributing a commit could craft a message designed to exploit the agent, potentially leading to unauthorized repository modifications or deceptive PR descriptions.
Recommendations
- AI detected serious security threats
Audit Metadata