update-pr
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the GitHub CLI (
gh pr edit) to update pull request titles and descriptions. This is a standard operation for the stated purpose of managing PR metadata. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection because it incorporates untrusted external content into the agent's context.
- Ingestion points: In
SKILL.md, the workflow specifies reading the current PR title, body, and branch diff as primary inputs. - Boundary markers: No explicit delimiters (like XML tags or triple quotes) or negative constraints (like instructions to ignore embedded commands) are defined to separate the data from the agent's instructions.
- Capability inventory: The agent has the authority to write back to the PR using the
gh pr editcommand, which could be abused if malicious instructions in a PR diff or body were obeyed. - Sanitization: The instructions lack input validation or filtering steps to ensure that content extracted from the PR does not influence the agent's operational logic.
Audit Metadata