release-note-crafter
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes Git commit logs, which are externally controlled, untrusted data.
- Ingestion points: Git commit subjects are parsed in
scripts/main.tsviaparseGitLogandgroupCommitsBySections. - Boundary markers: Absent. The skill provides no delimiters or instructions to the agent to treat commit content as untrusted data during the 'translation' to business value.
- Capability inventory: The skill contains
fs.writeFileSyncinwriteReleaseNotes(scripts/main.ts), allowing the agent to write generated content to the file system. - Sanitization: Absent. There is no escaping or filtering of commit message content before it is interpolated into the Markdown output.
- Command Execution (MEDIUM): The
outargument inSKILL.mdis passed directly topath.resolveandfs.writeFileSyncinscripts/main.ts. If the agent's environment lacks strict path sandboxing, this allows writing to arbitrary locations on the file system, which could be exploited to overwrite configuration files or keys if combined with a prompt injection. - Data Exposure (LOW): The
SKILL.mdmetadata refers to a 'Knowledge Protocol' that integrates 'Confidential' and 'Personal' knowledge tiers. While the code does not explicitly leak data, the design goal of mixing sensitive internal data with output intended for 'Stakeholders' or 'Public' release notes creates a structural risk of accidental data exposure.
Recommendations
- AI detected serious security threats
Audit Metadata