Skills
skills/shikajiro/claude-code-skill-example/pr-and-cleanup/Gen Agent Trust Hub

pr-and-cleanup

Fail

Audited by Gen Agent Trust Hub on Mar 2, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The file scripts/pr_and_cleanup.sh contains a command injection vulnerability in the create_pull_request function. It builds a command string by interpolating variables $TITLE and $BODY and then executes that string using eval. Because these variables are intended to hold user-supplied text, shell metacharacters can be used to execute unintended commands.
  • [REMOTE_CODE_EXECUTION]: The vulnerability allows for arbitrary command execution. If the agent populates the PR title or description using untrusted content from a repository, this becomes a vector for remote code execution.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data that reaches a sensitive sink. 1. Ingestion points: The --title and --body parameters in scripts/pr_and_cleanup.sh. 2. Boundary markers: None. 3. Capability inventory: Git and GitHub CLI access with system shell capabilities via eval. 4. Sanitization: No input validation or escaping is performed on the title or body strings before shell evaluation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 2, 2026, 02:13 AM