run-full-release
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documentation recommends installing the mise tool using
curl https://mise.run | sh. This pattern executes an unverified script from a remote server directly in the user's shell, which is a high-risk practice as the source is not a pre-approved trusted organization. - [DATA_EXFILTRATION]: The skill logic involves reading sensitive authentication tokens from fixed local paths:
$HOME/.claude/.secrets/pypi-tokenand$HOME/.claude/.secrets/crates-io-token. Accessing hardcoded sensitive credential paths increases the risk of data exposure to unauthorized processes. - [COMMAND_EXECUTION]: The skill requires broad permissions to execute shell commands via
Bashfor repository auditing, environment configuration, and package publishing. This significant permission set increases the attack surface if the environment or inputs are compromised. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and acts upon untrusted data from the local repository.
- Ingestion points: The skill reads repository metadata and state through
git status,git log, and various configuration files likepyproject.tomlandCargo.toml. - Boundary markers: Absent. Repository content is not delimited or isolated from the agent's instructions.
- Capability inventory: High. The skill can execute arbitrary shell commands (
Bash), modify files (Write,Edit), and read file contents. - Sanitization: Absent. External repository content is used directly to determine release logic and generate commit messages without validation or filtering.
Recommendations
- HIGH: Downloads and executes remote code from: https://mise.run - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata