pr-description
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a high-risk attack surface for indirect prompt injection (Category 8). It ingests untrusted external data and has the capability to perform side-effecting write operations.
- Ingestion points: The skill reads external content from GitHub (PR title, description) and local git history (
git log,git diff) as defined in Step 1 and Step 3 of the instructions. - Boundary markers: Absent. There are no delimiters or instructions to treat the ingested data as untrusted or to ignore any embedded instructions within the commit messages or diffs.
- Capability inventory: The skill has the capability to update GitHub PR descriptions using a GitHub plugin, which is a significant write operation (Tier: HIGH).
- Sanitization: Absent. The skill does not perform any validation or sanitization of the content extracted from git or GitHub before processing it.
- [Command Execution] (MEDIUM): The skill executes shell commands (
git log,git diff). While these are standard git operations, they are performed on untrusted repository state. In specific environments, maliciously crafted file names or git metadata could potentially lead to command injection or unexpected behavior if the agent does not properly escape arguments. - [Data Exposure] (LOW): The skill runs
git diff, which may expose sensitive information (secrets, API keys) that were accidentally committed. This information is then summarized and potentially posted to a PR description, increasing the visibility of the exposure.
Recommendations
- AI detected serious security threats
Audit Metadata