signal-pr
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructions explicitly direct the agent to 'not stop after acknowledging', 'not ask for confirmation', and 'immediately run' shell commands. This pattern intentionally bypasses human-in-the-loop safety protocols for state-changing operations like code pushes and pull request creation.
- [COMMAND_EXECUTION]: The skill relies on local Bash and PowerShell scripts ('pr.sh', 'pr.ps1') to execute Git commands and the GitHub CLI ('gh'). While these perform the stated functionality, they represent the execution of arbitrary local scripts and system binaries.
- [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it analyzes untrusted file diffs and commit messages to generate the pull request title and body.
- Ingestion points: Local file diffs and commit history (SKILL.md Step 2 & 3).
- Boundary markers: None; the prompt template does not use delimiters to isolate untrusted code content from the instruction context.
- Capability inventory: Git push (via dependency) and GitHub PR creation ('gh pr create').
- Sanitization: There is no evidence of sanitization or escaping of the diff content before it is processed by the agent to generate PR metadata.
Audit Metadata