pr-writer
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted content from git commit messages and branch names, which constitutes a potential surface for indirect prompt injection. However, given the skill's output is restricted to pull request documentation, the risk is minimal.
- Ingestion points: The agent reads commit logs and bodies via
SKILL.md(Step 1) and thescripts/draft-pr.shhelper script. - Boundary markers: No explicit delimiters are used to separate commit message content from agent instructions.
- Capability inventory: The skill performs read-only subprocess calls (
git log,git show) to gather context. - Sanitization: No sanitization is performed on commit messages or metadata before processing.
- [COMMAND_EXECUTION]: The skill uses a local shell script and direct agent instructions to execute standard git commands for repository metadata retrieval.
- Evidence:
scripts/draft-pr.shexecutesgit remote get-urlandgit logto extract repository URLs and commit history. - Evidence:
SKILL.mdinstructs the agent to usegit log --onelineandgit showto understand code changes.
Audit Metadata