Skills
skills/yonatangross/orchestkit/stacked-prs/Gen Agent Trust Hub

stacked-prs

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [Malicious Content] (HIGH): The SKILL.md file recommends the use of stacked.dev, a domain flagged as malicious by automated security scanners.
  • [Remote Code Execution] (HIGH): The script scripts/create-stacked-pr.md executes source scripts/stack-scripts.sh. This file is not included in the skill distribution, creating a critical vulnerability where arbitrary code could be executed if a malicious script is present in the environment's path.
  • [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect injection as it ingests untrusted repository data (branch names, commit messages) and interpolates them directly into shell commands. An attacker could craft a malicious commit message containing shell metacharacters to achieve command injection when the agent runs gh pr create. Evidence: In scripts/create-stacked-pr.md, $(git log -1 --format=%s) is used within a command string without sanitization.
  • [External Downloads] (MEDIUM): Documentation in SKILL.md instructs users to run gh extension install dlvhdr/gh-dash, which downloads and executes third-party code from an untrusted GitHub repository.
  • [Command Execution] (MEDIUM): Extensive use of the Bash tool for git operations increases the overall attack surface, particularly when combined with the lack of input validation for repository-derived strings.
Recommendations
  • AI detected serious security threats
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 01:21 AM