dev-changelog
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface for indirect prompt injection due to its core functionality.
- Ingestion points: Processes untrusted external content via
git log,git diff, andgh pr view(PR descriptions and comments). - Boundary markers: There are no specified delimiters or instructions provided to the agent to ignore embedded instructions within the git or PR data.
- Capability inventory: The skill uses the
Writetool to create and update multiple markdown files (summary.md,implementation.md,tech-debt.md,docs-updates.md). - Sanitization: No evidence of sanitization, escaping, or validation of the ingested git/PR content before it is processed and written to disk.
- Data Exposure (LOW): The skill accesses sensitive project metadata including git history and PR information. While this is typical for a development tool, it represents a point of exposure if the agent is not properly constrained.
- Command Execution (LOW): The skill utilizes system tools like
bash,git, andgrep. While these are used for intended purposes (gathering logs and diffs), they provide the necessary primitives for more dangerous operations if the agent is subverted via prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata