yeet
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill contains an instruction to "install dependencies and rerun once" if checks fail. This allows the agent to perform arbitrary package installations (e.g., via npm, pip, or cargo) based on the contents of the repository being processed, which could lead to the execution of malicious pre-install scripts.
- [COMMAND_EXECUTION] (MEDIUM): The workflow specifies to "run pr-body.md". If an agent interprets this literally as executing the markdown file as a shell script, it would execute content dynamically generated from code deltas and user-provided descriptions, creating a path for arbitrary code execution.
- [COMMAND_EXECUTION] (LOW): The skill utilizes
gitand the GitHub CLI (gh) for staging, committing, and pushing code. These tools interact with remote repositories and perform network operations. - [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: Git diffs and file status outputs are used to generate the PR body text.
- Boundary markers: The instructions do not define boundary markers to separate trusted instructions from untrusted repository content.
- Capability inventory: The agent has the ability to write files, execute shell commands, and interact with remote GitHub repositories.
- Sanitization: No sanitization or validation is applied to the repository data before it is processed or used in the "run" command context.
Audit Metadata