create-pr
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it analyzes and incorporates potentially untrusted data from the repository's history and current changes. * Ingestion points: The skill reads content from
git log,git diff, and.github/PULL_REQUEST_TEMPLATE.mdas specified in the Workflow sections ofSKILL.md. * Boundary markers: There are no explicit delimiters or instructions provided to the agent to disregard embedded instructions within the git output. * Capability inventory: The skill possesses the capability to execute shell commands via theBashtool, includinggh pr create. * Sanitization: The skill does not implement sanitization or validation of the text extracted from the git logs and diffs before using it to construct the pull request. - [COMMAND_EXECUTION]: The skill performs its primary workflow by executing various system commands. * Evidence: The workflow in
SKILL.mdrelies ongitfor repository state andghfor authenticated interactions with GitHub, which are well-known and expected tools for this use case.
Audit Metadata