1k-create-pr
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands (
gitandgh) using variables such as<branch-name>,<type>, and<description>that are dynamically generated from conversation context. Without proper escaping, this could lead to command injection if malicious strings are introduced into the conversation history.\n- [DATA_EXFILTRATION]: The workflow utilizesgit add .to stage changes before pushing to a remote server. This behavior risks the accidental commitment and exfiltration of sensitive local files, such as environment variables or private keys, if they are not correctly excluded by a .gitignore file.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it explicitly instructs the agent to populate PR metadata based on the full conversation history without providing sanitization or boundary markers.\n - Ingestion points: Full conversation history used to extract Intent, Root Cause, and Design Decisions.\n
- Boundary markers: Absent; no delimiters are used to separate untrusted conversation content from the system instructions.\n
- Capability inventory: The skill can perform repository modifications (
git commit), code uploads (git push), and automated merges (gh pr merge).\n - Sanitization: None; the skill lacks any mechanism to validate or filter the extracted context before it is inserted into command arguments or the PR body.\n- [COMMAND_EXECUTION]: The use of
gh pr merge --auto --squashenables automated merging of changes. When combined with AI-generated PR content and automated pushing, this increases the risk of malicious code being merged into the primary branch without a manual security review if the agent is successfully manipulated.
Audit Metadata