create-pr
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill appends the raw
$ARGUMENTSvariable at the end of the instructions without any delimiters or boundary markers. This allows a user to provide input that overrides the skill's logic or forces the agent to execute unintended bash commands through the provided tools. - [COMMAND_EXECUTION] (HIGH): The skill defines
Bash(git :*)andBash(gh :*)as allowed tools. This broad wildcard permission grants the agent full control over the local git environment and the GitHub CLI, including the ability to delete branches, push to arbitrary remotes, or modify PR metadata if subverted. - [DATA_EXFILTRATION] (MEDIUM): The workflow reads sensitive repository context such as
git logandgit diff. If manipulated via injection, this data could be exfiltrated by including it in the auto-generated PR body, which is then published to a remote server (GitHub). - [INDIRECT_PROMPT_INJECTION] (HIGH): This is the primary vulnerability surface.
- Ingestion points: The skill ingests untrusted data from the local filesystem via
git diff origin/main...HEAD --stat,git status --short, andgit log --oneline -5. - Boundary markers: Absent. The untrusted data is fed directly into the context for analysis by the Haiku model.
- Capability inventory: The agent has write-access capabilities including
git pushandgh pr create. - Sanitization: Absent. There is no logic to filter or escape malicious instructions embedded in code comments or commit messages that might be present in the diff or logs.
Recommendations
- AI detected serious security threats
Audit Metadata