create-pr
Pass
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it retrieves and processes untrusted external content from GitHub comments and reviews.
- Ingestion points: The scripts
poll-pr.shandtriage-pr.shfetch PR comments and review bodies via the GitHub API (e.g.,repos/$repo/issues/$pr/comments), which are then provided to the agent. - Boundary markers: There are no explicit boundary markers or instructions to ignore potential commands embedded within the external comments or reviews.
- Capability inventory: The skill allows the agent to execute sensitive commands including
git commit,git push,gh pr merge,gh pr create, andwt remove(worktree removal). - Sanitization: No sanitization or validation of the fetched comment content is performed before the agent is instructed to 'Address feedback'.
- [COMMAND_EXECUTION]: The skill uses dynamic context injection markers in
SKILL.mdto execute shell commands at load time. - Evidence: The file uses the syntax $
git status --porcelain..., $git branch --show-current, and $gh pr view ...to gather information about the current repository state automatically. - Context: While these specific commands are standard development tools, they execute automatically without user confirmation whenever the skill is initialized.
Audit Metadata