pr
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from git diffs to generate pull request descriptions.\n
- Ingestion points: The skill reads
git diff <base>..HEADandgit logoutput (File:SKILL.md, Step 1).\n - Boundary markers: Absent. The instructions do not specify any delimiters or warnings to the model to ignore instructions embedded within the diff content.\n
- Capability inventory: The skill can execute
gh pr create,gh pr edit, andgit push, allowing it to modify remote repository states.\n - Sanitization: Absent. There is no logic provided to sanitize or validate the content extracted from the code changes before using it to generate output.\n- [COMMAND_EXECUTION]: The skill uses unsafe templates for executing shell commands with dynamically generated content.\n
- Evidence: The instructions in
SKILL.mdfor both 'Create Mode' (Step 4) and 'Update Mode' (Step 3) provide shell command templates likegh pr create --title "..." --body "$(cat <<'EOF' ...body content... EOF)".\n - Detail: This pattern is susceptible to command injection if the generated content includes the
EOFdelimiter. A malicious input could terminate the heredoc and execute arbitrary shell commands in the user's environment.
Audit Metadata