changelog-generator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data from git changes to generate documentation and update project configuration. Findings based on the mandatory evidence chain:\n
- Ingestion points: Step 2 uses
git diff --cachedandgit log --oneline --cachedto read code and commit messages from the local repository which may contain attacker-controlled content.\n - Boundary markers: Absent. There are no instructions or delimiters provided to help the agent distinguish between code/comments and potentially malicious embedded instructions.\n
- Capability inventory: The agent is authorized to read and write critical local files (
package.json,CHANGELOG.md) and execute shell commands (git,cat,grep).\n - Sanitization: Absent. Content from the diff is directly parsed and summarized into the project's documentation and configuration.\n- COMMAND_EXECUTION (LOW): The skill utilizes several shell commands (
git status,git diff,git log,cat,grep) to perform its primary function. While these are standard developer tools, they provide a vector for command injection if filenames or commit data were maliciously crafted to exploit shell parsing.
Recommendations
- AI detected serious security threats
Audit Metadata