pr-description-writer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection via the GitHub CLI.
- Ingestion points: The skill automatically executes
gh pr view --json bodyto read the existing description of a Pull Request. This content is attacker-controlled and considered untrusted data. - Boundary markers: There are no instructions to use delimiters or to ignore instructions embedded within the ingested PR body.
- Capability inventory: The skill possesses the capability to modify repository state via
gh pr edit, which includes updating the title and body. - Sanitization: No sanitization or validation of the ingested content is performed before the agent 'notes' it for use in generating the new PR content.
- [Command Execution] (HIGH): The instructions for updating a PR are vulnerable to command injection.
- Evidence: The skill instructs the agent to run
gh pr edit <number> --title "<new title>" --body "...". The<new title>is wrapped in double quotes. If the agent-generated title contains shell metacharacters (e.g.,$(...),`...`, or" && command), it could lead to arbitrary command execution in the shell environment where the agent operates. While the body uses a heredoc (<<'EOF'), the title parameter remains an injection vector.
Recommendations
- AI detected serious security threats
Audit Metadata