create-pr

Pass

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute git and gh (GitHub CLI) commands for branch management, commit history analysis, and remote pull request creation. It also uses CronCreate to schedule periodic monitoring of CI status.
  • [EXTERNAL_DOWNLOADS]: It provides instructions for installing the playground plugin from the anthropics GitHub organization. As this is a trusted source, the download itself is documented neutrally as a legitimate dependency.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests data from external sources—specifically git branch names, commit messages, and agent activity logs—and incorporates them into the pull request body and arguments for the playground skill without sanitization or boundary markers.
  • Ingestion points: Untrusted data enters the context via git branch, git log, and the .claude/agents/activity/{branch}.jsonl file.
  • Boundary markers: Absent. The skill does not utilize delimiters or instructions to separate untrusted content from its operational instructions.
  • Capability inventory: The skill possesses the ability to perform remote writes via the GitHub CLI and invoke other agent skills, creating a vector where injected instructions could influence downstream actions.
  • Sanitization: No sanitization or escaping is performed on the git metadata before it is interpolated into prompts or PR content.
Audit Metadata
Risk Level
SAFE
Analyzed
May 14, 2026, 10:18 PM
Security Audit — agent-trust-hub — create-pr