release
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs broad system operations using
git,gh,bun,npm,uv,cargo, andawkto manage source code, tags, and releases. - [COMMAND_EXECUTION]: In Step 1.5, the skill compiles local source code into a temporary binary using
bun buildand executes the resulting file to perform a smoke test. This constitutes dynamic execution of code within the agent's environment. - [EXTERNAL_DOWNLOADS]: The skill clones the vendor's tap repository (
coleam00/homebrew-archon) and downloads release artifacts from GitHub to verify checksums. These target well-known services and vendor-owned resources. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by ingesting untrusted data from the repository's git history.
- Ingestion points: Commit messages and file diffs are read from the local repository during the changelog generation phase (SKILL.md).
- Boundary markers: No delimiters or safety instructions are used to prevent the agent from being influenced by instructions embedded in commit messages.
- Capability inventory: The agent has the ability to write these processed messages to PR descriptions (
gh pr create) and GitHub release notes (gh release create), creating a path for downstream poisoning or social engineering. - Sanitization: No validation or sanitization is performed on the commit strings before they are incorporated into the agent's output.
Audit Metadata