pr-generate
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It reads commit history and code diffs which are then used to generate a pull request title and description. Malicious content within a commit message could theoretically influence the agent's output or subsequent actions.
- Ingestion points: The skill executes
git logandgit diffinSKILL.mdto gather context for PR generation. - Boundary markers: No specific delimiters or instructions to ignore instructions embedded in the diff/logs are provided.
- Capability inventory: The agent can push code to remote repositories (
git push) and create pull requests (gh pr create), representing a significant capability if the prompt is subverted. - Sanitization: The skill does not describe any sanitization or filtering of the commit messages or diff content before processing.
- [COMMAND_EXECUTION]: The workflow involves interpolating variables derived from the environment (branch names) and AI-generated strings (PR titles) directly into shell commands like
git pushandgh pr create. If these inputs contain shell metacharacters, it could lead to unintended command execution, though this is partially mitigated by the use of quotes in the instructions.
Audit Metadata