Skills
NYC
skills/smithery/ai/create-pr/Gen Agent Trust Hub

create-pr

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • PROMPT_INJECTION (HIGH): The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from a local repository and uses it to drive external write operations via the GitHub CLI.
  • Ingestion points: The skill explicitly directs the agent to analyze local files, git diff, and git log output in SKILL.md.
  • Boundary markers: Absent; there are no instructions or delimiters provided to help the agent distinguish between its own logic and potentially malicious instructions embedded in the code it analyzes.
  • Capability inventory: High-risk write capabilities are present, specifically gh pr create (which creates external artifacts) and git push (which modifies the remote repository).
  • Sanitization: Absent; data from the repository is interpolated directly into a shell command template without validation or escaping.
  • COMMAND_EXECUTION (MEDIUM): The skill utilizes the Bash tool with access to git:* and gh:*. While functional, the shell construction gh pr create ... --body "$(cat <<'EOF' ... EOF )" is potentially vulnerable to manipulation. If the agent is tricked into inserting shell meta-characters into the template, it could lead to unintended command execution on the host environment.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 04:38 AM