create-pr
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to executegitandgh(GitHub CLI) commands for branch management, commit history analysis, and remote pull request creation. It also usesCronCreateto schedule periodic monitoring of CI status. - [EXTERNAL_DOWNLOADS]: It provides instructions for installing the
playgroundplugin from theanthropicsGitHub organization. As this is a trusted source, the download itself is documented neutrally as a legitimate dependency. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests data from external sources—specifically git branch names, commit messages, and agent activity logs—and incorporates them into the pull request body and arguments for the
playgroundskill without sanitization or boundary markers. - Ingestion points: Untrusted data enters the context via
git branch,git log, and the.claude/agents/activity/{branch}.jsonlfile. - Boundary markers: Absent. The skill does not utilize delimiters or instructions to separate untrusted content from its operational instructions.
- Capability inventory: The skill possesses the ability to perform remote writes via the GitHub CLI and invoke other agent skills, creating a vector where injected instructions could influence downstream actions.
- Sanitization: No sanitization or escaping is performed on the git metadata before it is interpolated into prompts or PR content.
Audit Metadata