create-pr
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill retrieves data from potentially untrusted sources within the repository.\n
- Ingestion points: The skill reads the contents of
.github/pull_request_template.mdand git commit messages viagit log(SKILL.md, Steps 2 and 5).\n - Boundary markers: There are no boundary markers or instructions to the agent to ignore instructions embedded within the template or commit history.\n
- Capability inventory: The skill possesses the capability to push code to remote repositories (
git push) and create pull requests (gh pr create).\n - Sanitization: No sanitization or validation is performed on the extracted text before it is used.\n- Command Injection (HIGH): The skill uses string interpolation to build shell commands.\n
- Evidence: In Step 5, the command
gh pr create --title \"<PR_TITLE>\" --body \"<PR_BODY>\"is executed. If a malicious actor influences the commit messages or the PR template to include shell-active characters (e.g., backticks, subshell syntax$(), or unescaped quotes), it could lead to arbitrary command execution in the context of the agent's environment.
Recommendations
- AI detected serious security threats
Audit Metadata