version
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by ingesting untrusted data from a repository's files while having high-privilege capabilities.
- Ingestion points: Scans a wide variety of project files including
package.json,pyproject.toml,Cargo.toml,pom.xml, andCHANGELOG.md. It also searches for versions in UI files (.tsx,.vue) and Docker configurations (SKILL.md). - Boundary markers: Absent. There are no instructions to the agent to treat content found in these files as data rather than instructions, nor are delimiters used to wrap the ingested content.
- Capability inventory: The skill modifies local files (updating version strings and the changelog) and executes multiple shell commands through the git CLI, including
git add,git commit,git tag, andgit push(SKILL.md). - Sanitization: Absent. The logic does not specify any validation or escaping of the strings found within the scanned files before they are processed or used in shell commands.
- Command Execution (MEDIUM): The skill relies on executing shell commands via the git CLI to manage the release process.
- Evidence: Explicit instructions to run
git add -A,git commit,git tag, and specifically a command with shell expansion:git log $(git describe --tags --abbrev=0)..HEAD --oneline(SKILL.md). While these are core features, an attacker who can influence the output ofgit describeor the content of git logs via malicious commit messages could potentially influence agent behavior or achieve command injection.
Recommendations
- AI detected serious security threats
Audit Metadata