release
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell scripts
./scripts/release.shand./scripts/release-rollback.sh. These scripts are responsible for critical tasks including version bumping, code committing, and managing pull requests via the GitHub CLI. - [REMOTE_CODE_EXECUTION]: The release script connects to remote gateway servers via SSH to execute immediate update commands (
gateway-auto-update.sh --force), representing a remote code execution capability on production infrastructure. - [CREDENTIALS_UNSAFE]: The operation relies on pre-configured environment credentials, including SSH keys for gateway access, GitHub CLI (gh) tokens for PR and release management, and crates.io tokens for publishing packages via cargo.
- [DATA_EXFILTRATION]: The skill communicates with external messaging platforms (Matrix and River) using tools like
matrix-sendandriverctlto broadcast release metadata and status to external channels. - [EXTERNAL_DOWNLOADS]: The skill interacts with external services such as GitHub (via
git fetchandgh) and crates.io (viacargo search) to synchronize repository state and verify artifact availability. - [PROMPT_INJECTION]: The skill processes untrusted data from git history, creating an indirect prompt injection surface.
- Ingestion points: Reads
git log --onelinefrom the repository history inSKILL.md. - Boundary markers: None; commit messages are presented to the user without delimiters.
- Capability inventory: Significant capabilities including script execution, SSH access, and package publication across multiple files.
- Sanitization: No evidence of sanitization or escaping for commit message content before presentation.
Audit Metadata