publish
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes several local commands including
git,jj(Jujutsu),pnpm, anduv. These are used to manage the release workflow (tagging, building frontend, and publishing package). - [EXTERNAL_DOWNLOADS]: The script
scripts/update_changelog.pyperforms network requests toapi.github.comusingurllib.request.urlopento fetch Pull Request author information. This is a well-known service and the implementation includes a timeout and basic error handling. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
- Ingestion points: The
update_changelog.pyscript reads commit messages and PR descriptions from the local git log and GitHub API. - Boundary markers: None observed in the prompt or scripts to prevent the LLM from following instructions embedded in commit messages if it were to process the resulting changelog.
- Capability inventory: The skill has significant capabilities including file writing (
CHANGELOG.md,pyproject.toml), network access, and package publishing (uv publish). - Sanitization: The script performs regex-based extraction but does not sanitize the content of commit messages before writing them to the
CHANGELOG.mdfile.
Audit Metadata