ai-create-pr

Pass

Audited by Gen Agent Trust Hub on Jul 7, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data from external sources to generate content.
  • Ingestion points: The skill reads untrusted data from the local repository using git diff main...HEAD and git log main..HEAD --oneline (SKILL.md).
  • Boundary markers: Absent. The instructions do not direct the agent to treat the diff content as untrusted or to ignore instructions embedded within the code changes.
  • Capability inventory: The agent has the ability to Write to the local filesystem and use Bash to execute git commit and git push operations (SKILL.md).
  • Sanitization: Absent. There is no evidence of sanitization or filtering of the diff content before it is processed by the LLM.
  • [COMMAND_EXECUTION]: The skill relies on shell command execution to perform git operations. Specifically, it uses git -C "$V" commit -m "<message>" and git -C "$V" push. If the generated PR title or branch name contains shell metacharacters and is not properly escaped by the agent, it could lead to command injection.
  • [DATA_EXFILTRATION]: The skill is configured to automatically push changes to a remote Git repository (git push). While intended for synchronization, this mechanism could be abused to exfiltrate data if the vault repository's remote origin is redirected or if the agent is manipulated into including sensitive information (like environment variables or credentials found during the diff process) in the PR notes.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 7, 2026, 02:44 PM
Security Audit — agent-trust-hub — ai-create-pr