pr
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local bash script
scripts/detect-forge-cli.shto identify the repository hosting service. It also invokes system binaries such asgit,gh(GitHub CLI), andglab(GitLab CLI) to perform branch pushes and PR/MR management tasks. - [DATA_EXFILTRATION]: The skill transmits repository content, including code diffs and commit messages, to external services (GitHub or GitLab). This is the intended purpose of the skill for creating pull or merge requests.
- [PROMPT_INJECTION]: The skill exhibits a vulnerability surface for indirect prompt injection, as it reads and summarizes untrusted data from the repository (e.g., commit messages and file diffs) to generate PR/MR descriptions.
- Ingestion points: Repository metadata is retrieved via
git log,git diff, and forge-specific view commands as defined inSKILL.md. - Boundary markers: The instructions lack explicit delimiters or warnings to ignore malicious instructions that might be embedded in commit history or diffs.
- Capability inventory: The agent possesses capabilities to push code to remote repositories and modify review request metadata.
- Sanitization: No validation or sanitization is performed on the repository content before it is processed by the agent to generate textual summaries.
Audit Metadata