changelog
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Prompt Injection] (HIGH): The skill is susceptible to Indirect Prompt Injection via git commit messages.
- Ingestion points: The 'AI-Generated Changelog' section uses
git logto capture commit messages into the$COMMITSvariable. - Boundary markers: No delimiters (like XML tags or triple quotes) are used to isolate the untrusted
$COMMITSdata from the AI instructions. - Capability inventory: The skill has the capability to modify the local
CHANGELOG.mdfile and publish release notes to GitHub using theghCLI. - Sanitization: None. There is no filtering or escaping of the commit history. An attacker who can commit to the repository (e.g., via a PR) can include instructions in their commit message that the LLM might follow, such as adding malicious URLs to the final release notes.
- [Command Execution] (LOW): The skill utilizes several bash scripts to automate file management and git operations.
- Evidence: Use of
sed,grep,head,tail, andmvto manipulateCHANGELOG.mdbased on shell variables like$VERSION. - Risk: While standard for a development tool, these scripts perform file system modifications and rely on the correctness of input variables.
- [External Downloads] (LOW): The skill instructs the user to install the
google-generativeaipackage. - Evidence:
pip install google-generativeai. - Trust: Downgraded to LOW/INFO per [TRUST-SCOPE-RULE] as the package is from a trusted organization (Google).
Recommendations
- AI detected serious security threats
Audit Metadata