patch-notes
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
versionargument is directly interpolated into file paths such asproduction/releases/[version]/changelog.mdand likely used within shell commands forgit log. Lack of input validation allows for path traversal (e.g., using../../etc/passwd) or potential command injection if shell metacharacters are included in the argument. - [DATA_EXFILTRATION]: The skill reads internal files including sprint retrospectives and balance documents. While it intends to sanitize this for players, it is instructed to output the excluded internal changes to the user for review. This creates a risk of exposing sensitive internal technical details, developer comments, or organizational data to unauthorized users.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of external, untrusted content.
- Ingestion points:
git loghistory, internal changelogs, sprint retrospectives inproduction/sprints/, and balance documents indesign/balance/. - Boundary markers: No delimiters or instructions are provided to the agent to treat the ingested data as data rather than instructions.
- Capability inventory: The skill has access to
Read,Write, andBashtools, allowing for file system manipulation and command execution based on processed input. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from git logs or documentation before it is processed by the LLM to 'translate' or 'categorize' the data.
Audit Metadata