github-pr-creation
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection surface (Category 8) identified. The skill ingests untrusted content from the environment and uses it to generate text.
- Ingestion points: Commit messages (Step 3), GitHub issue descriptions (Step 2), and local repository files such as
.cursorrulesortasks.md(Step 2). - Boundary markers: Absent. The instructions do not define delimiters or provide 'ignore instructions' warnings for processed data.
- Capability inventory: Execution of shell commands via
gitandghtools (Steps 8 and 9). - Sanitization: No sanitization or escaping of the ingested text is performed before it is interpolated into the PR body or displayed to the user.
- [COMMAND_EXECUTION] (SAFE): The skill utilizes command-line tools (
git,gh) for its primary purpose. The risk of malicious command execution is significantly mitigated by the 'Important rules' section, which strictly mandates user confirmation for the target branch, PR content, and final creation command.
Audit Metadata