pr-publish-agent
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill processes untrusted data from external sources which could contain malicious instructions.
- Ingestion points: Reads from
/orchestra-config.jsonand accepts external inputs for issue IDs and URLs. - Boundary markers: Absent. The instructions do not specify delimiters or warnings to ignore instructions embedded in the issue metadata or configuration file.
- Capability inventory: Executes
git push,gh pr create, and interacts with issue tracker MCPs to post comments and change statuses. - Sanitization: Absent. Input data is interpolated directly into command line arguments (e.g., in the
gh pr createcommand). - [Data Exposure & Exfiltration] (SAFE): The skill reads a configuration file (
/orchestra-config.json) from the repository root. While this file might contain sensitive mappings, its use is restricted to configuring the internal logic of the agent and is not exfiltrated to unauthorized external domains. - [Command Execution] (SAFE): Uses standard CLI tools (
gitandgh) for their intended purposes. The command patterns are well-defined and do not allow for arbitrary shell execution.
Audit Metadata