release
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes several local shell commands to manage the release workflow:
- Reads the current version from
package.jsonusingnode -p. - Retrieves commit history via
git logto identify unreleased changes. - Executes
npm run release:[type]scripts to perform the version bump and changelog update. - [EXTERNAL_DOWNLOADS]: The workflow relies on
standard-version, typically invoked vianpx. This may involve downloading the package from the official NPM registry if it is not already cached locally. This is standard behavior for Node.js development tools. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by reading Git commit messages. Since these messages are incorporated into the prompt context for generating a
CHANGELOG.md, a malicious commit message could theoretically attempt to influence the agent's output. However, this is a low-risk inherent property of automated changelog tools.
Audit Metadata