changelog-automation
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [SAFE]: No malicious patterns or security violations were detected. The skill provides legitimate templates for developer workflows and adheres to industry best practices for version management.
- [EXTERNAL_DOWNLOADS]: The implementation playbook references the installation of standard tools like
semantic-release,standard-version, andcommitizenfrom official package registries (NPM and PyPI). These are well-known services and the downloads are consistent with the skill's primary purpose. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest commit messages and PR descriptions to generate changelogs, which represents a theoretical surface for instruction injection from untrusted commit data.
- Ingestion points: Git commit history and pull request metadata (referenced in
resources/implementation-playbook.md). - Boundary markers: Not explicitly implemented in the provided code snippets.
- Capability inventory: Writing to local files (
CHANGELOG.md) and performing Git operations. - Sanitization: Not explicitly addressed in the provided templates; the skill relies on the standard behavior of the integrated tools.
Audit Metadata