Skills
skills/zhaono1/agent-playbook/create-pr/Gen Agent Trust Hub

create-pr

Pass

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted data (file contents and git diffs) to generate documentation and pull request descriptions.
  • Ingestion points: Reads output from git diff, git status, and the content of SKILL.md files across the repository.
  • Boundary markers: None identified; the agent is not instructed to ignore instructions embedded within the files it analyzes.
  • Capability inventory: Includes file modification (Write, Edit tools), command execution (Bash), and remote repository interaction (gh CLI).
  • Sanitization: No validation or filtering is performed on the data ingested from files before it is used to generate documentation or PR metadata.
  • [DATA_EXFILTRATION]: The workflow utilizes git add . followed by git push. This stages all modified or untracked files in the working directory. If sensitive files (e.g., .env files, local logs, or credentials) are present and not properly managed via .gitignore, they may be inadvertently committed and uploaded to a remote repository.
  • [COMMAND_EXECUTION]: The skill relies on several system commands executed via the Bash tool, including git, gh (GitHub CLI), and ln. While these are required for the skill's stated purpose of creating pull requests, they represent a significant capability tier that could be exploited if the agent is influenced by malicious input.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 5, 2026, 02:59 PM