create-pr
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local
gitandgh(GitHub CLI) commands to manage the development lifecycle. It also runs a bundled bash script,estimate-base-branches.sh, which uses standard git utilities to calculate branch merge bases. No unauthorized or suspicious command patterns were detected. - [DATA_EXFILTRATION]: The skill uploads data to the remote
originviagit push. To prevent accidental exposure of secrets, the workflow includes a safety check that monitors for sensitive file names (e.g.,.env,credentials,.pem) and halts the automation for mandatory user confirmation if such files are part of the changes. - [PROMPT_INJECTION]: The skill is subject to indirect prompt injection (Category 8) because it uses repository content (diffs and logs) to generate the PR draft.
- Ingestion points: External data enters through
git diffandgit logoutput processed in Step 3. - Boundary markers: None; the raw git output is interpolated directly into the context for summary generation.
- Capability inventory: The skill has permissions to write to the file system (git commit) and perform network operations (git push/gh pr create).
- Sanitization: There is no automated sanitization of the diff content, but the skill enforces a mandatory preview and approval step in Step 4, ensuring a human verifies the generated content before it is published.
Audit Metadata