docs-and-changelogs
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted content from git commit history and incorporates it into persistent project documentation. * Ingestion points: 'scripts/generate_changelog.py' executes 'git log' to retrieve commit subjects and bodies which can be controlled by any contributor. * Boundary markers: No delimiters or 'ignore' instructions are used when interpolating commit messages into 'CHANGELOG.md'. * Capability inventory: The skill has the capability to write to the file system across all its scripts, specifically 'CHANGELOG.md', 'docs/ADR/', and 'docs/PRD/'. * Sanitization: Commit messages are placed directly into markdown templates without escaping or validation.
- Command Execution (LOW): The skill invokes the 'git' binary via 'subprocess.run' in 'scripts/generate_changelog.py'. Evidence: 'get_commits' and 'get_last_tag' functions. Risk: While shell injection is mitigated by using a list, there is a minor risk of argument injection if the 'since' or 'until' parameters are provided by an untrusted source and contain 'git' flags.
Recommendations
- AI detected serious security threats
Audit Metadata