Skills
skills/constellos/claude-code-plugins/Stacked PR Management/Gen Agent Trust Hub

Stacked PR Management

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill processes external data from GitHub Pull Requests which acts as an untrusted ingestion point.
  • Ingestion points: gh pr view and gh pr create retrieve data such as branch names, titles, and body content from the GitHub API.
  • Boundary markers: Absent. The skill does not use delimiters or instructions to ignore potential commands embedded in PR metadata.
  • Capability inventory: The skill possesses significant 'write' capabilities, including git push --force-with-lease, git rebase, and gh pr merge (found in SKILL.md).
  • Sanitization: Absent. While shell variables are quoted to prevent simple shell injection, there is no logic to sanitize or validate the intent of the data retrieved from the external PRs before the agent acts upon it.
  • [Command Execution] (MEDIUM): The skill performs automated branch manipulation and repository state changes based on the output of external CLI tools.
  • Evidence: The 'Stack Rebase' and 'Merge Stack' sections in SKILL.md use shell loops to automate sequences of git checkout, git rebase, and git push commands. In an autonomous agent context, these operations carry high risk if the logic is successfully subverted via indirect injection.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 09:42 AM