pr
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection surface. The skill ingests untrusted data from the repository using
git diffto generate commit messages and PR metadata. An attacker could place instructions inside a file (e.g., in a code comment) that the LLM might follow while generating the PR title or description.\n - Ingestion points: File content is read via
git diff --cachedin Step 2 and Step 3.\n - Boundary markers: The instructions lack explicit delimiters or instructions for the LLM to ignore embedded commands within the diff data.\n
- Capability inventory: The skill executes shell commands including
git pushandgh pr create(Step 3).\n - Sanitization: The skill uses a quoted heredoc (
'EOF') for the PR body which is a secure practice, but the PR title is interpolated into a double-quoted string which is less robust against injection.\n- [COMMAND_EXECUTION]: Dynamic construction of shell commands. The skill assembles shell commands by interpolating variables generated by the model into command templates.\n - Evidence: In Step 3, the command
gh pr create --title "{title}"is constructed. If the LLM generates a title containing unescaped double-quotes or command substitution sequences, it could potentially manipulate the CLI command execution.
Audit Metadata