pr-commit-workflow
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes standard development tools, specifically git and the GitHub CLI (gh), to perform repository management tasks such as creating commits, opening pull requests, and retrieving pull request comments.
- [DATA_EXFILTRATION]: The script
scripts/build_pr_body.shcollects non-sensitive environment metadata, including the operating system version, terminal program, and the presence of configuration directories for AI tools like Claude or Codex. This information is intended for documentation within the pull request body to provide context for human reviewers. - [PROMPT_INJECTION]: The skill design includes a surface for indirect prompt injection as it is tasked with including verbatim prompt history and user-written intent in pull requests.
- Ingestion points: Untrusted data is ingested from user input (intent) and agent logs (prompt history) as specified in
references/workflow-pr.md. - Boundary markers: The skill employs Markdown blockquotes and table formatting to isolate and identify external content within the PR body.
- Capability inventory: The agent can execute local shell commands, manage git history, and interact with the GitHub API via the
ghtool. - Sanitization: The instructions explicitly direct the agent to redact sensitive information from the prompt history before inclusion, although no automated sanitization logic is implemented in the accompanying scripts.
Audit Metadata