Skills
skills/perdolique/workflow/pr-creator/Gen Agent Trust Hub

pr-creator

Pass

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute several shell commands to retrieve repository state and changes, including git branch, git remote, git diff, and git log. While necessary for the skill's functionality, this assumes a secure environment where command execution is permitted and monitored.
  • [PROMPT_INJECTION]: The skill uses authoritative language ('CRITICAL', 'strict, non-negotiable requirement') to enforce an English-only output policy. While used for formatting, this pattern of overriding user preferences and agent behavior with high-priority markers is a common injection technique that could conflict with safety protocols.
  • [DATA_EXPOSURE]: The skill is designed to capture and process full repository diffs (git diff <base-branch>...<current-branch>). If the repository contains sensitive information (e.g., hardcoded secrets in the diff), this data would be captured and potentially sent to the chat interface or an external GitHub API endpoint.
  • [PROMPT_INJECTION]: The skill contains a 'Writing Style' section that forces a highly specific and informal persona ('chill dudes', 'puff on a hookah'). While not inherently malicious, it imposes an unusual behavioral constraint on the agent that could be used to bypass professional or safety-oriented communication guidelines.
  • [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to indirect instructions embedded in the data it processes.
  • Ingestion points: The agent reads external data via git diff and git log commands in SKILL.md (Step 3 and Step 4).
  • Boundary markers: None. There are no instructions to ignore or delimit potentially malicious instructions found within commit messages or code changes.
  • Capability inventory: The agent can execute system commands (git) and interact with the GitHub API to create PRs.
  • Sanitization: None. The skill explicitly directs the agent to 'Review every modified file' and 'Understand the cumulative impact of all commits', which ensures the agent will process any injection payload present in the repository history.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 11, 2026, 01:41 PM