pr-description-writer
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes
gitandghCLI commands to extract repository information and manage pull requests. Shell commands inSKILL.md(Step 5) use quoted heredocs (<< 'EOF') to safely handle user-generated content, preventing command injection. - [DATA_EXFILTRATION]: Source code diffs and commit history are retrieved and transmitted to GitHub via the
ghCLI. This is the intended primary purpose of the skill and targets a well-known, legitimate service. - [EXTERNAL_DOWNLOADS]: The README provides installation instructions using
npxfor a scoped package (@opendirectory.dev/skills) and suggests downloading the skill directory viadownload-directory.github.io. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes untrusted data from git logs and diffs.
- Ingestion points: Git diff output, commit logs, and existing PR metadata are read into the agent context in
SKILL.md(Step 2). - Boundary markers: Absent; the skill does not use specific delimiters to separate code content from instructions.
- Capability inventory: The skill possesses write capabilities through
gh pr createandgh pr edit(Step 5). - Sanitization: No explicit sanitization or filtering of the git data is performed before processing.
- Mitigation: The potential risk is mitigated because the skill is designed to present the generated description to the user for review and confirmation before execution.
Audit Metadata