changeset
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill analyzes external data from git commit messages which can be controlled by untrusted actors. 1. Ingestion points: Commit history retrieved via
git log(Step 2). 2. Boundary markers: None; commit messages are processed directly. 3. Capability inventory: Localgitcommand execution and file writing to the.changeset/directory. 4. Sanitization: None; the skill lacks logic to filter or escape instructions embedded in commit messages. An attacker could craft a commit message that tricks the agent into misclassifying the version bump or including malicious content in the changeset summary. - [Command Execution] (LOW): The skill uses
git tagandgit logto retrieve repository metadata. While these are subprocess calls, they are limited to standard git operations and do not target sensitive system files or execute remote code.
Audit Metadata