changelog
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to interpolate user-provided arguments into a shell command:
git log --oneline [last-tag]..HEAD. This pattern is vulnerable to command injection if a user provides a crafted version string containing shell metacharacters. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted data from the repository environment. Ingestion points: Git commit history (via
git log), sprint reports inproduction/sprints/, and design documents indesign/gdd/. Boundary markers: The skill lacks delimiters or explicit instructions to isolate the external content from the agent's logic. Capability inventory: The combination ofRead,Glob,Grep, andBashtools provides a significant attack surface if the agent follows malicious instructions embedded in the logs or documentation. Sanitization: No content validation or sanitization is performed on the ingested data before processing.
Audit Metadata