release
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes several local scripts and CLI tools for sensitive operations.
- Evidence: Execution of
scripts/ci-publish.sh,scripts/bump-version.sh,gh pr merge, andnpm publish. - Risk: If these scripts are compromised or contain vulnerabilities, they could be used to execute arbitrary code or perform unauthorized actions during the release process.
- [PROMPT_INJECTION] (MEDIUM): Category 8 (Indirect Prompt Injection). The skill has a high-capability attack surface by ingesting untrusted data.
- Ingestion points: Content from
.changeset/*.mdfiles and the output ofpdf-brain search. - Boundary markers: None specified in the instructions to prevent the agent from following instructions embedded in these sources.
- Capability inventory: The agent can merge PRs (
gh pr merge) and push code changes (git push), which triggers CI/CD publishing. - Sanitization: No sanitization or validation of the ingested content is mentioned.
- [EXTERNAL_DOWNLOADS] (LOW): The skill references an external GitHub action.
- Evidence:
vercel/ai-actionis used in the CI pipeline. - Status: Downgraded to LOW/INFO as
vercelis a recognized Trusted Organization per [TRUST-SCOPE-RULE]. - [DYNAMIC_EXECUTION] (MEDIUM): The skill mentions a custom Python script used for runtime modification of package files.
- Evidence: A "python3 safety net that rewrites any remaining workspace:*" inside
scripts/ci-publish.sh. - Risk: Runtime modification of
package.jsonfiles via unprovided scripts can introduce unexpected behavior if the script logic is flawed or manipulated.
Audit Metadata