changelog-generator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted external data in the form of git commit messages.
- Ingestion points: Git commit history and version tags are analyzed to generate content (File: SKILL.md).
- Boundary markers: None present. There are no instructions to the agent to ignore or delimit embedded commands within commit messages.
- Capability inventory: The skill explicitly instructions the agent to 'Save output directly to CHANGELOG.md', providing a filesystem write capability.
- Sanitization: None present. The agent is encouraged to 'Translate Technical → User-Friendly' which involves high-level reasoning over potentially malicious strings.
- Metadata Poisoning (MEDIUM): The sections titled 'Scientific Skill Interleaving', 'SDF Interleaving', and 'Cat# Integration' contain pseudoscientific jargon (e.g., 'GF(3) Balanced Triad', 'Bicomodule', 'Trit: 1') that is unrelated to the skill's stated purpose of generating changelogs. This deceptive metadata may be intended to bias the LLM's internal state or bypass standard operational constraints.
Recommendations
- AI detected serious security threats
Audit Metadata