pr-create
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the GitHub CLI (gh) to perform repository operations, including pushing branches and creating pull requests.
- [DATA_EXFILTRATION]: The skill reads local git data (diffs and commit history) and sends it to GitHub to create pull requests. This is the primary intended function of the skill and occurs only after explicit user confirmation.
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from the repository environment to generate pull request descriptions, which creates a potential surface for indirect prompt injection.
- Ingestion points: Git branch names, commit messages, and file diffs are read to provide context for description generation in SKILL.md.
- Boundary markers: None specific to data isolation are present in the instructions.
- Capability inventory: Executes shell commands via the gh CLI as documented in SKILL.md.
- Sanitization: No automated sanitization is described, but the skill enforces a 'Confirmation Protocol' requiring the user to review the PR content and reply 'approve' before execution.
Audit Metadata