prepare-pr
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (LOW): Potential for Indirect Prompt Injection (Category 8) through untrusted review data.\n
- Ingestion points: Untrusted data is ingested from
.local/review.jsonusingjq.\n - Boundary markers: Absent. The agent is not instructed to treat fields like
fixortitleas untrusted or to ignore instructions embedded within them.\n - Capability inventory: The skill has the capability to modify repository files, create commits via
scripts/committer, and push to remote branches viascripts/pr-prepare.\n - Sanitization: Absent. There is no validation or escaping of the content from the review file before the agent is asked to act upon it.\n- [COMMAND_EXECUTION] (LOW): The skill executes repository-local scripts (
scripts/pr-prepare,scripts/committer) and system utilities likejq. This is the intended functional mechanism but relies on the security of the scripts within the repository.\n- [DATA_EXFILTRATION] (SAFE): The skill performsgit pushoperations to the PR head branch. While this involves network transfer of repository data, it is the explicitly stated purpose of the skill and includes safety checks like--force-with-leaseand pre-push verification.
Audit Metadata