jj-create-pr
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands using the jj (Jujutsu) and gh (GitHub CLI) tools to inspect repository state, manage bookmarks, push changes to a remote, and create pull requests on GitHub.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes repository data that may contain malicious instructions.
- Ingestion points: Untrusted data enters the agent context through jj log (capturing existing commit descriptions) and jj diff (capturing code changes) as described in Step 2 and Step 3 of SKILL.md.
- Boundary markers: The instructions do not define boundary markers or instruct the agent to ignore instructions embedded within the diff or commit history during the PR generation process.
- Capability inventory: The skill possesses capabilities to execute shell commands and perform write operations to remote repositories via jj git push and gh pr create.
- Sanitization: There is no evidence of sanitization, validation, or escaping of the ingested repository content before it is interpolated into the prompt logic used to generate titles and descriptions.
Audit Metadata