ai-create-pr
Pass
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data from external sources to generate content.
- Ingestion points: The skill reads untrusted data from the local repository using
git diff main...HEADandgit log main..HEAD --oneline(SKILL.md). - Boundary markers: Absent. The instructions do not direct the agent to treat the diff content as untrusted or to ignore instructions embedded within the code changes.
- Capability inventory: The agent has the ability to
Writeto the local filesystem and useBashto executegit commitandgit pushoperations (SKILL.md). - Sanitization: Absent. There is no evidence of sanitization or filtering of the diff content before it is processed by the LLM.
- [COMMAND_EXECUTION]: The skill relies on shell command execution to perform git operations. Specifically, it uses
git -C "$V" commit -m "<message>"andgit -C "$V" push. If the generated PR title or branch name contains shell metacharacters and is not properly escaped by the agent, it could lead to command injection. - [DATA_EXFILTRATION]: The skill is configured to automatically push changes to a remote Git repository (
git push). While intended for synchronization, this mechanism could be abused to exfiltrate data if the vault repository's remote origin is redirected or if the agent is manipulated into including sensitive information (like environment variables or credentials found during the diff process) in the PR notes.
Audit Metadata