aif-deploy
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- DATA_EXFILTRATION (MEDIUM): The skill is designed to perform 'Environment Checks' which include verifying
.envfiles. These files typically contain sensitive secrets such as API keys and database credentials. While the skill aims to protect them, the combination of file-read access and network-capable tools (likegh,npm, anddocker) creates a path for potential exfiltration. - COMMAND_EXECUTION (MEDIUM): The skill is authorized to run broad commands including
npm *,docker *, andgh *. It specifically invokesnpm run buildandcargo build. In most project environments, these commands execute arbitrary scripts defined in the project's configuration (e.g.,package.json), which could be used to execute malicious code on the host system. - PROMPT_INJECTION (LOW): The skill ingests untrusted data from the local environment, specifically git commit messages and GitHub PR titles/descriptions, to generate release notes. This is a surface for indirect prompt injection (Category 8). Although
disable-model-invocation: trueis set (mitigating the model's direct response to this data), the agent framework may still be influenced by these strings if they are passed to other model-driven components. - Ingestion points: Git history, merged PR titles, and descriptions (extracted via
gitandgh). - Boundary markers: None explicitly defined in the logic for release note generation.
- Capability inventory:
git,npm,docker,gh,kubectl,vercel,netlify(all capable of network and system interaction). - Sanitization: No explicit sanitization of git logs or PR metadata before processing.
- EXTERNAL_DOWNLOADS (LOW): The skill uses tools like
npm auditand build systems that naturally download external dependencies. While standard for deployment, this constitutes a dependency on external registries.
Audit Metadata