pr-creator
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill reads pull request templates from the repository (
.github/pull_request_template.md) and uses them to draft descriptions. An attacker who can influence the repository content can embed malicious instructions in these templates to manipulate the agent's behavior. - Ingestion points: Step 4 reads the content of repository-defined PR templates.
- Boundary markers: Absent. The skill does not use delimiters to isolate the template content from its own instructions.
- Capability inventory: The skill can execute shell commands (
git,npm,gh), push code to remote origins, and create pull requests. - Sanitization: Absent. The template content is used directly to form the PR body.
- Command Execution (HIGH): The skill executes
npm run preflightin Step 6. If the workspace contains a maliciouspackage.json, this allows for arbitrary code execution on the host machine where the agent is running. - Metadata Poisoning (LOW): While the metadata is currently benign, the reliance on repository-provided files for logic (Step 3) creates a path for deceptive behavior if a repository contains misleadingly named templates.
Recommendations
- AI detected serious security threats
Audit Metadata