create-pr
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it reads and summarizes commit messages, branch names, and git diffs to generate PR titles and bodies. Malicious instructions or adversarial text embedded in commit messages could theoretically influence the agent's behavior during the summarization process.
- Ingestion points: The skill reads external data via
git log --oneline,git diff, and branch name extraction. - Boundary markers: No explicit delimiters or instructions are provided to the agent to treat commit data as untrusted or to ignore embedded instructions.
- Capability inventory: The agent has the ability to write to the repository's metadata via
gh pr create. - Sanitization: There is no evidence of filtering or escaping commit content before it is processed by the language model.
- [COMMAND_EXECUTION]: The skill uses local system commands
gitandghto retrieve repository state and create pull requests. These operations are the primary intended function of the skill and are restricted to the explicitly allowed tools. The default use of--dry-runserves as a safety control for these executions.
Audit Metadata