git-pr-workflows-pr-enhance
Fail
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The implementation playbook contains Python code that constructs shell commands using f-strings and executes them via
subprocess.run. This pattern is vulnerable to argument injection if parameters like branch names are provided by a user. - Evidence: The
_get_changed_filesand_get_change_statsmethods insub-skills/implementation-playbook.mdbuildgit diffcommands using thebase_branchvariable. - [PROMPT_INJECTION]: The skill is designed to process external, untrusted data (commit messages and code diffs) to generate documentation but lacks mechanisms to prevent indirect prompt injection from that data.
- Ingestion points:
sub-skills/implementation-playbook.md(processing git diffs and commit history viaPRAnalyzer). - Boundary markers: Absent; the skill does not use delimiters or instructions to ignore embedded commands in the processed data.
- Capability inventory: The skill performs subprocess execution (git commands) and generates structured text output.
- Sanitization: There is no evidence of sanitization, validation, or escaping of the data ingested from the git repository before it is used to generate the final response.
Recommendations
- AI detected serious security threats
Audit Metadata