Skills
skills/bmad-code-org/bmad-utility-skills/bmad-os-draft-changelog/Gen Agent Trust Hub

bmad-os-draft-changelog

Pass

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via the data it ingests during its analysis phase.
  • Ingestion points: The agent reads content from .claude-plugin/marketplace.json, git commit bodies, and GitHub Pull Request descriptions and comments via gh pr view as described in Step 2.
  • Boundary markers: The instructions do not require the use of boundary markers or specific "ignore embedded instructions" warnings when the agent processes this external, potentially attacker-controlled text.
  • Capability inventory: The skill has the capability to write to the local filesystem (specifically the CHANGELOG.md file).
  • Sanitization: There is no requirement for the agent to sanitize, validate, or escape the content retrieved from PRs or commits before incorporating it into the draft or using it to drive the significance assessment logic.
  • Risk: An attacker who can contribute commits or Pull Requests to the repository could include malicious instructions within the PR body or commit messages designed to influence the agent's behavior while it is generating the changelog.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 30, 2026, 06:17 PM