create-pr
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8). It processes external inputs such as 'acceptance criteria' and 'scope' while maintaining powerful capabilities like repository modification and script execution. Evidence Chain: 1. Ingestion points: 'Confirm scope' step in SKILL.md reads user-provided criteria. 2. Boundary markers: None present. 3. Capability inventory: Subprocess calls for lint, test, build and gh CLI commands in SKILL.md. 4. Sanitization: None present.
- COMMAND_EXECUTION (HIGH): The instruction to run 'the repo’s standard commands' in SKILL.md grants the agent permission to execute arbitrary code defined in the local environment. If an attacker can influence the repository content, they can achieve arbitrary code execution via the agent's quality gate checks.
- CREDENTIALS_UNSAFE (LOW): Interactions with 'gh auth login' and 'gh auth status' in SKILL.md make the agent's session and the associated GitHub token a target for potential exfiltration via prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata