create-pr
Warn
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in
SKILL.mdguide the agent to construct and execute shell commands using untrusted data without proper escaping. The commandgh pr create --title "<title>" --body "$(cat <<'EOF' ... EOF )"is susceptible to shell injection. The<title>variable is populated from commit messages or user input and is wrapped in double quotes; characters like backticks or double quotes could lead to arbitrary command execution. Additionally, the body heredoc$(cat <<'EOF')can be broken if the generated PR content contains the stringEOFon its own line followed by malicious shell commands.\n- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection due to how it processes external and user-supplied data without adequate safeguards.\n - Ingestion points: The skill ingests untrusted data from
$ARGUMENTSand repository metadata viagit logandgit diffinSKILL.md.\n - Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands within the processed data.\n
- Capability inventory: The skill uses high-privilege capabilities including
git pushandgh pr createas seen inSKILL.md.\n - Sanitization: Absent; the skill performs no escaping or filtering on the ingested data before interpolation into prompts or shell commands.
Audit Metadata