create-pr

Warn

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions in SKILL.md guide the agent to construct and execute shell commands using untrusted data without proper escaping. The command gh pr create --title "<title>" --body "$(cat <<'EOF' ... EOF )" is susceptible to shell injection. The <title> variable is populated from commit messages or user input and is wrapped in double quotes; characters like backticks or double quotes could lead to arbitrary command execution. Additionally, the body heredoc $(cat <<'EOF') can be broken if the generated PR content contains the string EOF on its own line followed by malicious shell commands.\n- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection due to how it processes external and user-supplied data without adequate safeguards.\n
  • Ingestion points: The skill ingests untrusted data from $ARGUMENTS and repository metadata via git log and git diff in SKILL.md.\n
  • Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands within the processed data.\n
  • Capability inventory: The skill uses high-privilege capabilities including git push and gh pr create as seen in SKILL.md.\n
  • Sanitization: Absent; the skill performs no escaping or filtering on the ingested data before interpolation into prompts or shell commands.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 5, 2026, 08:17 PM
Security Audit — agent-trust-hub — create-pr