pr-reference
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFE
Full Analysis
- [Indirect Prompt Injection Surface]: The skill processes repository data like commit messages and code diffs which are user-controlled and could contain instructions intended to influence the agent. 1. Ingestion points: Commit subjects, bodies, and file diffs are retrieved via git in generate.sh and generate.ps1. 2. Boundary markers: The output is structured as XML with elements for current_branch, base_branch, commits, and full_diff. 3. Capability inventory: The skill performs file writes to the .copilot-tracking directory and executes read-only git commands. 4. Sanitization: The skill wraps data in CDATA sections to ensure the agent perceives it as data.
- [Local Command Execution]: The skill executes git commands to retrieve repository information. Evidence: Scripts in the scripts/ directory invoke git log, git diff, and git rev-parse. Context: These operations are restricted to standard information retrieval from the local repository and are necessary for the skill's primary function of PR analysis.
Audit Metadata