changelog-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill instructs the agent to gather data using 'git log'. This data originates from commit messages, which are attacker-controlled external inputs. If the agent processes these messages to generate content or make decisions, it is vulnerable to indirect prompt injection (Category 8).\n
- Ingestion points: Commit messages retrieved via 'git log' commands in Step 1.\n
- Boundary markers: None. The instructions provide no delimiters or 'ignore' directives for the ingested log content.\n
- Capability inventory: File system write access (updating CHANGELOG.md), command execution (git, npm, grep, cat), and global package installation.\n
- Sanitization: None. The skill suggests direct interpolation of log data into the changelog format.\n- [External Downloads] (MEDIUM): The 'Automation' section suggests installing 'conventional-changelog-cli' globally via 'npm install -g'. While this is a common utility, downloading and installing third-party packages at runtime is a risk vector (Category 4).\n- [Command Execution] (LOW): The skill uses several standard shell commands ('git', 'cat', 'grep') and the 'conventional-changelog' utility to perform its tasks. These are used for their intended purpose in a development environment but constitute a broad capability surface (Category 5).
Recommendations
- AI detected serious security threats
Audit Metadata