create-pr

The provided SKILL.md file is a markdown document that defines a skill's metadata and instructions for an AI agent. It specifies the allowed tools as Bash(git status), Bash(git push), Bash(git log), Bash(git diff), Bash(gh pr create), Bash(gh pr list), and Bash(git branch). All these are standard and widely used command-line tools for Git and GitHub operations.

1. Prompt Injection: No patterns indicative of prompt injection (e.g., 'IMPORTANT: Ignore', 'You are now unrestricted', 'Bypass safety filters') were found. The instructions guide the AI on how to generate PR titles and descriptions, not to override its core behavior or safety guidelines.
2. Data Exfiltration: The skill's purpose involves pushing git branches and creating pull requests, which inherently involves sending data to GitHub. However, this is the legitimate function of the git and gh commands. There are no instructions to read sensitive local files (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) and exfiltrate them to arbitrary, non-whitelisted external domains. The gh CLI interacts with GitHub's API, which is a trusted endpoint for its functionality.
3. Obfuscation: No Base64 encoding, zero-width characters, Unicode tags, homoglyphs, URL/percent encoding, hex escapes, or HTML entities were detected within the markdown content.
4. Unverifiable Dependencies: The skill relies on git and gh being installed in the environment. These are common system tools and the skill does not instruct the AI to install any new, unverified packages or download scripts from arbitrary external sources. Therefore, it does not fall under the 'unverifiable dependencies' threat category as defined by the protocol.
5. Privilege Escalation: No commands like sudo, doas, chmod +x, chmod 777, or instructions for installing services/daemons or modifying system files were found.
6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying ~/.bashrc, crontab, authorized_keys) were detected.
7. Metadata Poisoning: The skill's name, description, and other metadata fields are benign and accurately reflect its purpose. No malicious instructions were embedded in these fields.
8. Indirect Prompt Injection: The skill processes commit history and user request context to generate PR details. While any skill processing external or user-provided content carries an inherent, indirect risk of being influenced by malicious input, this skill does not instruct the AI to execute commands or override its behavior based on such input. The risk is related to the content generated, not the AI's internal instructions.
9. Time-Delayed / Conditional Attacks: No conditional logic based on dates, times, usage counts, or environment variables that would trigger malicious behavior was found.

Conclusion: The skill is well-defined, uses trusted tools for its stated purpose, and contains no direct malicious code or instructions. Its nature as a purely descriptive skill (NO_CODE) makes it inherently safer.