git-pr-workflows-pr-enhance
Warn
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
PRAnalyzerclass inresources/implementation-playbook.mdexecutes local system commands using thesubprocessmodule. - Evidence: In
_get_changed_filesand_get_change_stats, the variablebase_branchis interpolated directly into a command string:cmd = f"git diff --name-status {base_branch}...HEAD". - Risk: While the skill uses argument lists instead of raw shell execution, the lack of validation on the
base_branchparameter allows an attacker to pass arbitrary flags to thegitbinary. This could be exploited to read files or trigger external scripts if certain git configuration flags are passed. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from code changes to generate summaries.
- Ingestion points: The agent reads and processes git diffs and file content in
resources/implementation-playbook.mdto generate PR descriptions and checklists. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to help it distinguish between the code being analyzed and the instructions for the analysis task.
- Capability inventory: The agent has the capability to execute shell commands (
git), perform automated code reviews, and generate documentation. - Sanitization: The skill lacks any filtering or sanitization of the input diff data before it is interpolated into the natural language generation process.
- Risk: An attacker could embed malicious instructions within a pull request (e.g., inside a code comment or a commit message) that could influence the agent's summary, potentially hiding malicious changes or tricking the agent into marking the PR as 'safe' erroneously.
Audit Metadata