gh-pr-creation
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands using the git and gh (GitHub CLI) binaries to manage local branches, push changes, and interact with the GitHub API.
- [COMMAND_EXECUTION]: In the 'Run and pass all quality gates' step, the agent is instructed to identify and execute arbitrary commands found in the repository configuration. This creates a risk of running malicious scripts if the repository contains compromised configuration files (e.g., scripts in package.json, Makefiles, or pre-commit hooks).
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from the local repository that could contain malicious instructions.
- Ingestion points: Data enters the agent context through
git status,git diff, and repository configuration files used to identify quality gates. - Boundary markers: None. The skill does not define delimiters or provide instructions to ignore embedded commands within the processed file content or diffs.
- Capability inventory: The skill has the capability to execute shell commands (
git,gh) and arbitrary project-defined scripts, as well as write to the GitHub API (creating PRs and assigning reviewers). - Sanitization: None. The agent uses the content of the diffs and configuration files directly to determine its next steps, including command execution and PR metadata generation.
Audit Metadata