announce
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill utilizes multiple bash execution blocks to run
gitandgh(GitHub CLI) commands. These commands are used to extract commit messages, diffs, and GitHub metadata which can include data from untrusted external contributors. - [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core design of summarizing external data.
- Ingestion points: The skill reads untrusted input from
gh pr list(PR titles and bodies),gh issue list(issue titles and bodies),git log(commit messages), andgh release view(release notes) inSKILL.md. - Boundary markers: Absent. The skill lacks delimiters or explicit instructions for the AI to ignore instructions embedded within the gathered context.
- Capability inventory: The skill executes shell commands and produces drafts for external social media publication, creating a risk that injected instructions could manipulate the agent into generating malicious content.
- Sanitization: Absent. There is no evidence of filtering, escaping, or validation of the content retrieved from GitHub.
- [DATA_EXPOSURE] (MEDIUM): The skill explicitly targets configuration and environment files (e.g.,
.env.example,*.yaml,package.json) in itsgit diffcommands, which may lead the LLM to inadvertently include sensitive internal configuration details in the public release drafts.
Recommendations
- AI detected serious security threats
Audit Metadata