plot-approve
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
gitand the GitHub CLI (gh) to perform actions like merging pull requests, creating branches, and pushing commits. While these are legitimate actions for this skill, they involve high-privilege operations on the repository. - [COMMAND_EXECUTION]: Executes an external helper script via a relative path at
../plot/scripts/plot-pr-state.sh. This introduces a dependency on external file integrity outside the direct scope of the skill's folder. - [PROMPT_INJECTION]: The skill processes untrusted data from project files, creating an indirect prompt injection surface.
- Ingestion points: Reads Markdown plan files from
docs/plans/active/(SKILL.md steps 4 and 4b) to extract branch names and task descriptions. - Boundary markers: No specific delimiters or instructions are used to signal the agent to ignore potentially malicious content within these parsed files.
- Capability inventory: The skill allows the agent to create new branches, commit code, and generate pull requests (SKILL.md step 5).
- Sanitization: The input
slugis validated for character set, but branch names and descriptions extracted from the Markdown files are used directly in shell commands and PR metadata without sanitization.
Audit Metadata