release-notes
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
execSyncto run localgitandghCLI commands to extract repository history and pull request details. It implements asanitizeGitReffunction inlib/parse-commits.cjsto mitigate the risk of shell injection through branch or tag names. - [DATA_EXFILTRATION]: The script
lib/transform-llm.cjsperforms network operations by sending release note content to the Anthropic API (api.anthropic.com) for AI-powered summarization. This is a documented feature using a well-known service and requires an user-providedANTHROPIC_API_KEYvia environment variables. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface where untrusted data from the repository is processed and passed to an LLM.
- Ingestion points: Git commit subjects and bodies (read in
lib/parse-commits.cjs) and pull request metadata (fetched inlib/extract-pr-metadata.cjs). - Boundary markers: The interpolation logic in
lib/transform-llm.cjsdoes not use explicit delimiters or instructions to ignore potential commands embedded in the commit messages. - Capability inventory: Subprocess execution for git/gh CLI, network requests to Anthropic API, and file system writes for markdown reports and changelogs.
- Sanitization: Use of
escapeMarkdowninrender-template.cjsprevents markdown formatting breakage but does not filter logic-based injection strings. - [SAFE]: The skill implements robust path validation via the
validateOutputPathutility inlib/utils.cjs. This check ensures all generated files are written within the project's root directory, preventing path traversal attacks.
Audit Metadata