phoenix-release-notes
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It instructs the agent to analyze untrusted data sources, including GitHub release bodies and repository source code, to generate MDX documentation and update GitHub release notes. A malicious actor could craft commit messages or code comments designed to influence the agent's summarization or cause it to include unauthorized content in the output. Mandatory Evidence Chain: (1) Ingestion points:
gh release viewoutput and repository source code inpackages/andsrc/directories. (2) Boundary markers: Absent in MDX templates. (3) Capability inventory: File writes (mkdir,cat) and GitHub release edits (gh release edit). (4) Sanitization: None specified in the instructions. - [COMMAND_EXECUTION]: The skill uses several standard CLI tools, including
gh,grep,ls, andmkdir, to identify releases and manage the documentation structure. Step 7 involves a shell script that interpolates external release content into a new command, which represents a capability for executing operations based on processed data. - [DATA_EXFILTRATION]: The skill reads local project documentation and configuration files and possesses the capability to write updates to the project's official remote GitHub repository. This constitutes a controlled data flow from the local filesystem to an external service.
- [EXTERNAL_DOWNLOADS]: The skill utilizes the GitHub CLI (
gh) to fetch release metadata and commit history fromgithub.com/Arize-ai/phoenix. These interactions target a well-known service and the official repository of the skill's author.
Audit Metadata