Skills
skills/crper/agent-skills/github-fetch-release-notes/Gen Agent Trust Hub

github-fetch-release-notes

Pass

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes text from external GitHub repositories (CHANGELOG files and Release bodies). Maliciously crafted content in these files could attempt to influence the agent's behavior.
  • Ingestion points: Data enters the system through gh_client.py which uses the GitHub CLI to fetch repository content.
  • Boundary markers: The skill outputs structured JSON, which provides some separation, but does not include specific boundary markers or instructions to the LLM to ignore instructions within the fetched text.
  • Capability inventory: The skill executes local commands via subprocess.run in gh_client.py to interact with the gh CLI.
  • Sanitization: While changelog.py performs text normalization and cleanup, it does not specifically filter for prompt injection attacks.
  • [COMMAND_EXECUTION]: The skill executes the gh (GitHub CLI) tool to perform its tasks. Security is maintained through strict input validation of repository names in gh_client.py using the REPO_PART_RE regex and urllib.parse, and by passing command arguments as lists to subprocess.run, which avoids shell interpretation.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 10, 2026, 11:58 AM