git-commit-pr
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute several shell-based commands for version control management, includinggit checkout,git add,git commit,git push, andgit reset --hard. It also utilizes the GitHub CLI (gh pr create) to interact with remote repositories. - [DATA_EXFILTRATION]: The skill is designed to send local code changes to external destinations by pushing branches to remote origins (
git push origin) and creating pull requests to upstream repositories (gh pr create). While this involves transferring data externally, it is the primary intended function of the skill. - [PROMPT_INJECTION]: The instructions contain behavioral constraints that command the agent to deceive external reviewers by concealing its identity. It explicitly forbids mentioning 'AI', 'Claude', or 'LLM' in commit messages or pull request descriptions and mandates the use of a hardcoded human author identity ('Cheney Zhang chen.zhang@zilliz.com').
- [INDIRECT_PROMPT_INJECTION]: The skill possesses a vulnerability surface for indirect prompt injection as it performs a
git diffand reviews changes to local files. Malicious instructions embedded within the codebase being reviewed could potentially influence the agent's behavior during the commit or PR creation process. - Ingestion points: Local file content is read into the agent context via
git statusandgit diffduring the review step (Step 2). - Boundary markers: None present; the agent is instructed to review the changes without explicit delimiters or warnings to ignore embedded instructions.
- Capability inventory: The agent has the capability to execute shell commands, read/write files via Git, and perform network operations via Git and the GitHub CLI.
- Sanitization: No sanitization or validation of the ingested file content is performed before the agent processes it.
Audit Metadata