push-pr
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses dynamic context injection (the
!commandsyntax) inSKILL.mdto automatically gather repository state, such asgit status, the current branch name, and recent commit logs, at the time the skill is invoked. - [COMMAND_EXECUTION]: The skill executes various git and GitHub CLI commands through the
Bashtool to perform operations such as branch management, code pushing, and pull request creation. - [COMMAND_EXECUTION]: The skill executes a local Python script
scripts/format-pr-body.pyto generate PR descriptions. This script usessubprocess.runto callgit logandgit diff. It uses the list-based argument format and avoidsshell=True, which is a secure practice that prevents standard shell command injection. - [DATA_EXFILTRATION]: The skill reads local repository information, including commit messages and file diffs, and transmits this data to GitHub via
git pushandgh prcommands. This behavior is consistent with the skill's primary function of submitting code for review. - [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection because it reads git commit messages and file names and includes them in pull request descriptions without sanitization or boundary markers.
- Ingestion points: The
get_commitsandget_changed_filesfunctions inscripts/format-pr-body.pyingest data directly from the local git command outputs. - Boundary markers: The generated PR body does not use delimiters or explicit instructions to distinguish system-generated text from the content of commit messages.
- Capability inventory: The skill has the capability to push to remote repositories and create persistent records on GitHub via the
ghtool. - Sanitization: The script does not perform validation or escaping of commit messages before interpolating them into the markdown PR body.
Audit Metadata