pr-creation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to indirect prompt injection due to its processing of untrusted external content alongside high-privilege tool access. Ingestion points: The skill reads external data from GitHub issues, PR comments, and test verification summaries. Boundary markers: No delimiters or safety instructions are used to isolate untrusted data from the agent's command logic. Capability inventory: The agent utilizes the 'Bash' tool and 'gh' CLI, granting it the ability to execute shell commands and modify the repository. Sanitization: There is no evidence of sanitization or escaping of external strings before they are interpolated into the shell environment.
- [COMMAND_EXECUTION] (MEDIUM): The skill grants the agent the authority to perform sensitive repository operations, including 'git push --force-with-lease' and 'gh pr create'. In an environment where the agent can be influenced by untrusted external data, these capabilities provide a direct path for an attacker to compromise the integrity of the codebase.
Recommendations
- AI detected serious security threats
Audit Metadata