commit-push-pr-workflow
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- COMMAND_EXECUTION (SAFE): The skill utilizes standard git and GitHub CLI (gh) commands to manage source control workflows, which is entirely consistent with its stated purpose.
- DATA_EXFILTRATION (SAFE): Network communication is limited to the official GitHub API (api.github.com) for the purpose of creating pull requests. No data is sent to unauthorized or unknown external domains.
- CREDENTIALS_UNSAFE (SAFE): No hardcoded secrets were detected. The skill employs secure methods to handle authentication, such as using environment variables or programmatically retrieving existing tokens from the system's git-credential manager.
- INDIRECT_PROMPT_INJECTION (SAFE): The skill processes user-supplied strings for commit messages and PR bodies. It mitigates injection risks into downstream API calls by using structured JSON serialization (ConvertTo-Json) and here-strings to maintain data boundaries.
Audit Metadata