changeset-validation
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Command Execution for Repository Analysis: The skill uses
execSyncandspawnSyncwithinscripts/changeset-prompt.mjsto executegitcommands. This is a standard and necessary pattern for gathering diffs, resolving commit SHAs, and analyzing file changes within a development workflow. - Indirect Prompt Injection Surface: The skill processes potentially untrusted data by interpolating the Pull Request body (
{{PR_BODY}}) and git diffs ({{PACKAGE_DIFF}}) into the LLM prompt. This is a common pattern for CI validation tools but introduces a surface where external input could attempt to influence the model's judgment. - Ingestion points: Data enters the context in
scripts/changeset-prompt.mjsvia the GitHub event payload and git command output. - Boundary markers: The prompt template in
references/validation-prompt.mduses section headers to separate context, though it lacks explicit instructions to ignore nested directives within those blocks. - Capability inventory: The skill can interact with the GitHub API and execute local git commands.
- Sanitization: The script includes logic to truncate large diffs to a maximum character limit, which provides a basic level of data control.
- GitHub API Interaction: The script
scripts/changeset-assign-milestone.mjsperforms network requests to the official GitHub API (api.github.com) to manage PR milestones. This operation requires aGITHUB_TOKEN, which is a standard requirement for repository automation and CI/CD integration.
Audit Metadata