commit-push-pr
Pass
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: SAFE
Full Analysis
- [DYNAMIC_CONTEXT_INJECTION]: The skill uses the !command syntax to retrieve repository context during initialization. The commands executed (git branch, git status, git log, git diff) are benign and standard for identifying current development state.
- [COMMAND_EXECUTION]: The skill performs standard software development operations including linting/formatting with ruff, running tests with pytest, and executing git/gh commands for version control. These are legitimate within the declared scope of a commit and PR workflow.
- [EXTERNAL_DOWNLOADS]: Dependencies mentioned (ruff, pytest, gh) are well-known, industry-standard tools for Python development and GitHub integration. No suspicious or unverified third-party scripts are downloaded.
- [DATA_EXFILTRATION]: Network activity is restricted to standard Git push operations and GitHub API calls (via gh CLI). The workflow includes a specific manual check step to prevent the accidental commitment of sensitive files like .env or credentials.
Audit Metadata