release-notes
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Command Execution: The skill uses
dnxto run thedotnet-inspecttool for API verification. This involves executing commands that interact with external package repositories to query type and member information. The execution is confined to trusted .NET development tools and official package feeds. - External Downloads: Configuration and API metadata are fetched from official Azure DevOps NuGet feeds (
pkgs.dev.azure.com) and GitHub repositories associated with the .NET project. These downloads are necessary for accurate release documentation and originate from well-known, trusted sources. - Indirect Prompt Injection: The skill ingests data from external GitHub pull requests, such as titles and descriptions, to generate content. This represents an ingestion point for untrusted data which could potentially contain malicious instructions. The risk is mitigated by the skill's workflow, which includes multi-model editorial QA and final human review of the generated pull requests.
Audit Metadata