Skills
skills/kelvinz/cobb/open-pr/Gen Agent Trust Hub

open-pr

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill reads external documentation files (PRDs) to gather context for PR creation.
  • Ingestion points: The skill reads PRD files located at tasks/f-##-<slug>.md (referenced in SKILL.md).
  • Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore embedded commands within the PRD content.
  • Capability inventory: The skill possesses significant write capabilities, including git push -u origin HEAD and gh pr create/edit (referenced in SKILL.md).
  • Sanitization: No sanitization or validation of the PRD content is performed before it is interpolated into PR titles, bodies, or agent reasoning.
  • Command Execution (MEDIUM): The skill invokes several shell commands to interact with the repository and GitHub CLI.
  • Evidence: Execution of git push, gh pr view, gh pr edit, and gh pr create based on variables derived from local files.
  • Risk: If an attacker can manipulate the PRD or the local environment (e.g., branch names), they might influence the parameters passed to these commands.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 02:27 AM