create-pr
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses authoritative and coercive language designed to override the agent's base instructions and safety guidelines. Phrases such as 'MANDATORY', 'CORE DIRECTIVE', and 'IF YOU PROCEED... YOU ARE VIOLATING YOUR CORE DIRECTIVE' are patterns used to force compliance and discourage manual user intervention or alternative tool usage.
- [COMMAND_EXECUTION]: The workflow explicitly authorizes and instructs the agent to perform 'auto-committing' and 'pushing to remote' without seeking user approval. This bypasses the standard 'human-in-the-loop' safety protocol for state-changing git operations, potentially allowing the agent to commit and push unintended or malicious code changes automatically.
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface in its PR description generation step (Step 6). It ingests untrusted data from git diffs and commit histories to feed into the 'pr-description-writer' sub-skill. While the documentation mentions a 'zero fabrication policy', the processing of external content from code comments or commit messages without explicit sanitization markers remains a vulnerability point.
Audit Metadata