create-pr
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill includes instructions to the AI to suppress its identity or tool attribution, specifically forbidding the inclusion of footers like "Generated with Claude Code" in PR descriptions.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from external sources.
- Ingestion points: The skill reads data from
git log,git diff,gh issue list, andgh issue viewto generate PR content. - Boundary markers: There are no explicit instructions or delimiters provided to help the agent distinguish between data and potential instructions embedded in commit messages or issue descriptions.
- Capability inventory: The skill can execute subprocesses via
gitandgh, including creating new Pull Requests with the processed content. - Sanitization: No sanitization or validation logic is present to filter malicious instructions from the ingested git or GitHub data before interpolation into the PR body.
- [COMMAND_EXECUTION]: The skill utilizes shell command substitution (
$(...)) and heredocs to dynamically build thegh pr createcommand using output from other local git and GitHub CLI operations.
Audit Metadata