agent-changelog
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a significant attack surface by ingesting data from untrusted or attacker-controllable sources, specifically
git logoutput, code comments, and project documentation. - Ingestion Points:
git log(commit messages),.claude/plans/,docs/, and source code comments. - Boundary Markers: None. The skill does not implement delimiters or 'ignore' instructions for the data it processes.
- Capability Inventory: The skill has file-write capabilities (
AGENT_CHANGELOG.md) and command execution capabilities (git). - Sanitization: None. Malicious content in a commit message (e.g., from a PR) or a documentation file could be verbatim interpolated into the final changelog. Because the
AGENT_CHANGELOG.mdis intended to be an 'authoritative' guide for future agents, this creates a persistent injection that can subvert future agent reasoning. - [Command Execution] (LOW): The skill executes shell commands (
git log,git tag). These are standard operations for the stated purpose but should be monitored for command injection if variables were ever introduced into the shell strings. - [Data Exposure] (LOW): The skill consolidates project trajectory, architectural decisions, and 'Stale Information' into a single file. While intended, this aggregates sensitive internal project knowledge into a structured format that could be easily exfiltrated by other compromised skills.
Recommendations
- AI detected serious security threats
Audit Metadata