bmad-os-draft-changelog
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is vulnerable to instructions embedded in external data it processes.
- Ingestion points: The skill reads pull request descriptions and comments using
gh pr viewas specified inprompts/instructions.md. - Boundary markers: Absent. There are no clear delimiters or instructions to ignore potential commands within the PR content.
- Capability inventory: The skill has the capability to write to the local filesystem (
CHANGELOG.md). - Sanitization: Absent. PR data is processed directly for summarization without sanitization.
- [Command Execution] (SAFE): The skill uses legitimate CLI tools (
git,gh) for its primary purpose. The instructions include explicit constraints (e.g., "DO NOT make any commits", "DO NOT trigger any GitHub release workflows") to prevent unauthorized actions.
Audit Metadata