release
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its data ingestion patterns. 1. Ingestion points: The agent reads untrusted content from the repository via
git logandgit diffin steps 1 and 3. 2. Boundary markers: There are no instructions or delimiters to prevent the agent from following commands embedded within this external data. 3. Capability inventory: The skill has high-privilege capabilities includingnpm publish,git push, andgh release create. 4. Sanitization: The skill performs no validation or sanitization of the commit data before processing it for decision-making. - COMMAND_EXECUTION (MEDIUM): The workflow executes several bash commands where arguments are derived from the repository state (tags, versions, notes). While limited by
allowed-tools, the reliance on untrusted external data to populate command parameters creates a risk of exploitation if metadata is manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata