create-pr
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from the git environment, including commit logs, code diffs, and repository-hosted templates, which can be manipulated by an attacker to influence agent behavior through indirect prompt injection.
- Ingestion points:
git log,git diff, and.github/PULL_REQUEST_TEMPLATE.md(Steps 4 and 6 in SKILL.md). - Boundary markers: Absent. The skill does not use delimiters to wrap the untrusted data or provide instructions to ignore embedded commands.
- Capability inventory: The skill uses the
Bashtool to executegitandgh(GitHub CLI) commands (Steps 1, 2, 4, 7). - Sanitization: Absent. No escaping or validation is specified for the data extracted from the repository.
- [COMMAND_EXECUTION]: The skill executes the
gh pr createcommand using strings generated from its analysis of code changes. If the agent does not properly escape shell metacharacters in the generated title or body, it could lead to arbitrary command execution when calling theBashtool.
Audit Metadata