skills/dojoengine/saya/create-pr/Gen Agent Trust Hub

create-pr

Pass

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it retrieves and processes untrusted external content from GitHub comments and reviews.
  • Ingestion points: The scripts poll-pr.sh and triage-pr.sh fetch PR comments and review bodies via the GitHub API (e.g., repos/$repo/issues/$pr/comments), which are then provided to the agent.
  • Boundary markers: There are no explicit boundary markers or instructions to ignore potential commands embedded within the external comments or reviews.
  • Capability inventory: The skill allows the agent to execute sensitive commands including git commit, git push, gh pr merge, gh pr create, and wt remove (worktree removal).
  • Sanitization: No sanitization or validation of the fetched comment content is performed before the agent is instructed to 'Address feedback'.
  • [COMMAND_EXECUTION]: The skill uses dynamic context injection markers in SKILL.md to execute shell commands at load time.
  • Evidence: The file uses the syntax $git status --porcelain..., $git branch --show-current, and $gh pr view ... to gather information about the current repository state automatically.
  • Context: While these specific commands are standard development tools, they execute automatically without user confirmation whenever the skill is initialized.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 24, 2026, 04:26 AM
Security Audit — agent-trust-hub — create-pr