release-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill is designed to execute local scripts and system commands that modify the repository state.
- Evidence: Execution of
.github/scripts/bump-version.ps1,.github/scripts/tag-release.sh, and.github/scripts/quick-release.sh. - Evidence: Usage of the GitHub CLI (
gh workflow run) to trigger remote pipelines. - Risk: If an attacker can influence the content of these scripts or the parameters passed to them, they can achieve arbitrary code execution in the agent's environment.
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its core functionality of processing external, untrusted data.
- Ingestion points: The skill explicitly reads and parses
git logand commit messages to generate changelogs and release notes. - Boundary markers: There are no instructions defining delimiters or "ignore embedded instructions" guards for the parsed commit data.
- Capability inventory: The agent has high-privilege capabilities including file modification (
VERSION,CHANGELOG.md,.csproj), git tagging, git pushing, and triggering GitHub Actions workflows. - Sanitization: No sanitization or validation logic is specified for the commit message content before it is processed or used to influence the agent's next steps.
- Risk: A malicious actor could craft a commit message containing instructions that the agent might follow when "categorizing" or "formatting" the notes, leading to unauthorized repository changes or data exfiltration.
Recommendations
- AI detected serious security threats
Audit Metadata