simple-pr
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill reads untrusted content from staged changes using
git diff --cachedinSKILL.md. This content is directly used to influence the generation of commit messages and branch names without any boundary markers or sanitization. * Ingestion points: Output ofgit diff --cached. * Boundary markers: Absent; the LLM is directly asked to summarize the diff without delimiters. * Capability inventory:git commit,git push, andgh pr create(SKILL.md) allow for side-effects in the repository. * Sanitization: Absent; the content of the diff is not sanitized or escaped before processing. - Capability Risk (HIGH): The skill has the authority to execute sensitive operations including
git commit,git push, andgh pr create. Combined with the injection surface, this allows an attacker to potentially force the agent to push malicious code or create deceptive PRs. - Command Execution (LOW): The skill executes various git and GitHub CLI commands. While these are required for its stated purpose, they provide the mechanism through which the injected instructions would manifest as actions.
Recommendations
- AI detected serious security threats
Audit Metadata