claude-code-plugin-release
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The workflow relies on executing a series of shell commands to manage the release process. This includes using
gitfor tagging and pushing changes,npmfor building the project and sending notifications, and theghCLI for creating releases and querying the GitHub API. - [EXTERNAL_DOWNLOADS]: The skill fetches release metadata from the GitHub API. While GitHub is a trusted source, this represents the ingestion of external data into the agent's workspace.
- [PROMPT_INJECTION]: The skill uses emphatic language like 'IMPORTANT' and 'CRITICAL' to ensure the agent follows specific procedural steps, such as committing build artifacts. While appropriate for the use case, this aligns with behavioral steering patterns.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its changelog generation process.
- Ingestion points: External data enters the context via the
gh apicommand, which is then processed byscripts/generate_changelog.js(SKILL.md). - Boundary markers: There are no boundary markers or instructions to treat the ingested release notes as untrusted data.
- Capability inventory: The skill has the capability to modify the repository (
git commit,git push), create remote releases (gh release), and execute notification scripts (npm run discord:notify). - Sanitization: The
generate_changelog.jsscript parses the JSON data and extracts release bodies without any sanitization or filtering for potentially malicious instructions (scripts/generate_changelog.js).
Audit Metadata