release-skills
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted content from the repository's git history to automate release tasks. An attacker with the ability to influence commit messages (e.g., through a pull request) could potentially inject instructions that the agent might follow during the 'Analyze Changes' or 'Update Changelogs' steps.
- Ingestion points: The skill reads external data via
git logandgit diffcommands to categorize changes. - Boundary markers: Absent. There are no explicit instructions or delimiters to prevent the agent from interpreting instructions found within the processed commit messages.
- Capability inventory: The skill has high-privilege capabilities, including file modification (CHANGELOG.md, README.md, marketplace.json) and shell command execution (
git add,git commit,git tag). - Sanitization: Absent. The agent is instructed to describe features and fixes based directly on commit history without validation or escaping.
- Command Execution (MEDIUM): The skill executes multiple shell-based git commands. While these are part of the intended workflow, executing commands based on repository state (which can be influenced by external actors) poses a risk if inputs like version tags or commit messages are not strictly handled.
Recommendations
- AI detected serious security threats
Audit Metadata