pr
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill executes standard git and GitHub CLI (gh) commands. While these are legitimate tools, the skill uses them to process data from the local environment.
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) due to how it handles external data.
- Ingestion points: The skill reads untrusted data from the codebase and commit history using
git diffandgit log(SKILL.md). - Boundary markers: No delimiters or "ignore embedded instructions" warnings are used when processing the output of git commands.
- Capability inventory: The skill can execute shell commands (
gh pr create) which have side effects on external platforms (GitHub). - Sanitization: There is no logic to sanitize or escape the content retrieved from the repository before it is placed into the PR template.
- Risk: Malicious instructions hidden in code comments or commit messages could influence the agent's behavior when generating the PR body, potentially leading to the inclusion of malicious content or unauthorized disclosure of information in the public PR.
Recommendations
- AI detected serious security threats
Audit Metadata