send-pr
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from local files (e.g., agents.md, .ai/*.md) and interpolates this content into the PR description, creating an indirect prompt injection surface.\n- Ingestion points: SKILL.md reads multiple repository files including agents.md, .ai/issue-analysis.md, and .ai/implementation-plan.md.\n- Boundary markers: No delimiters or instructions are provided to the agent to treat file content as untrusted data.\n- Capability inventory: The skill executes the
gh pr createshell command.\n- Sanitization: No sanitization or escaping is applied to the content retrieved from repository files before it is used in the command or PR body.\n- [COMMAND_EXECUTION]: The skill utilizes the GitHub CLI (gh) to create pull requests. Arguments for the command are derived from local file content, which could lead to command injection if malicious data is present, although the user confirmation requirement provides a critical safety check.
Audit Metadata