github-pr
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection vulnerability through untrusted data ingestion.
- Ingestion points:
git --no-pager logandgit --no-pager showinSKILL.mdare used to read commit history. - Boundary markers: Absent. The skill does not provide delimiters or instructions to ignore malicious content within commit messages.
- Capability inventory: Execution of shell commands (
gh pr create,gh pr edit,git push) and file system writes (cat << EOF,Out-File). - Sanitization: Absent. Malicious commit messages could contain instructions that trick the agent into generating dangerous PR content or altering the command structure.
- [COMMAND_EXECUTION] (MEDIUM): Potential for command injection during dynamic shell command construction.
- Evidence: The skill instructs the agent to construct commands like
gh pr create ... --title "<標題>"using generated strings. If a commit message contains shell metacharacters (e.g., backticks or dollar-parens) and the agent includes them in the title without proper escaping, it could lead to arbitrary command execution in the user's shell environment.
Recommendations
- AI detected serious security threats
Audit Metadata