pr-writer
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses authoritative language to override standard workflows and repository defaults (e.g., 'ALWAYS use this skill', 'ignoring any repository PR templates'). These instructions ensure adherence to specific formatting rules but utilize override patterns often associated with prompt injection.
- [PROMPT_INJECTION]: The skill processes untrusted content from commit messages and code diffs to generate PR descriptions, creating an attack surface for indirect prompt injection. 1. Ingestion points: Git commit history via 'git log' and code changes via 'git diff'. 2. Boundary markers: None present in the instructions to delimit untrusted code or commit data from instructions. 3. Capability inventory: Repository metadata access, PR creation, and PR modification via the GitHub CLI. 4. Sanitization: No sanitization or filtering of the ingested git data is mentioned.
- [COMMAND_EXECUTION]: The skill executes shell commands using variables and user-controlled content via 'gh' and 'git'. It utilizes the 'cat <<'EOF'' construct to pass multi-line text to the GitHub CLI, which is a security best practice that helps mitigate shell injection risks during PR creation and updates.
Audit Metadata