pr-writer

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill processes untrusted content from git commit messages and branch names, which constitutes a potential surface for indirect prompt injection. However, given the skill's output is restricted to pull request documentation, the risk is minimal.
  • Ingestion points: The agent reads commit logs and bodies via SKILL.md (Step 1) and the scripts/draft-pr.sh helper script.
  • Boundary markers: No explicit delimiters are used to separate commit message content from agent instructions.
  • Capability inventory: The skill performs read-only subprocess calls (git log, git show) to gather context.
  • Sanitization: No sanitization is performed on commit messages or metadata before processing.
  • [COMMAND_EXECUTION]: The skill uses a local shell script and direct agent instructions to execute standard git commands for repository metadata retrieval.
  • Evidence: scripts/draft-pr.sh executes git remote get-url and git log to extract repository URLs and commit history.
  • Evidence: SKILL.md instructs the agent to use git log --oneline and git show to understand code changes.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 01:59 AM
Security Audit — agent-trust-hub — pr-writer