create-pr
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Indirect Prompt Injection (LOW): The skill processes untrusted data from the local repository that could contain malicious instructions.
- Ingestion points: Reads commit messages (
git log) and code changes (git diff) inSKILL.mdto generate PR content. - Boundary markers: Uses clear console headers (e.g.,
=== Changed files ===) to separate git output, but lacks explicit instructions to the model to ignore embedded commands within the diffs. - Capability inventory: The skill has the ability to push code (
git push) and create pull requests (gh pr create). - Sanitization: Employs a quoted heredoc (
cat <<'EOF') in the shell script to prevent the shell from interpreting characters within the generated PR body, though the--titleargument remains wrapped in standard double quotes which could be sensitive to command substitution if the generated title is not sanitized.
Audit Metadata