describe-pr
Warn
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill executes a local shell script at "$CLAUDE_PROJECT_DIR/.claude/scripts/aggregate-reasoning.sh". The source and content of this script are not defined within the skill, representing an unverified execution path.
- [COMMAND_EXECUTION]: Step 6 instructs the agent to execute commands found in the "How to verify it" section of the PR template. If the template file (thoughts/shared/pr_description.md) or the PR diff contains malicious commands, the agent may execute them automatically under the guise of verification (e.g., make check test).
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data from the repository.
- Ingestion points: Reads the PR template file (thoughts/shared/pr_description.md) and the output of gh pr diff which may contain attacker-controlled content.
- Boundary markers: None. The skill does not use delimiters or instructions to ignore embedded commands when processing the template or diff.
- Capability inventory: File system access, shell execution (bash), and network writes via the GitHub CLI (gh pr edit).
- Sanitization: No validation or sanitization is performed on the ingested content before it is used to generate the description or determine command execution.
Audit Metadata