changelog
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection because it ingests and summarizes content from untrusted external sources (PR bodies, issue descriptions, and commit messages). An attacker can submit a pull request containing hidden instructions in the description to hijack the agent's reasoning during the changelog generation phase. This is particularly risky as the skill has file-write capabilities.
- Ingestion points:
gh pr list,gh issue list, andgit logare used to pull external, attacker-controllable text into the agent context. - Boundary markers: Absent. The instructions do not define delimiters or provide 'ignore embedded instructions' warnings when processing the gathered context.
- Capability inventory: The skill executes system commands (
git,gh) and performs file system writes (CHANGELOG.md). - Sanitization: Absent. There is no validation or filtering of the content retrieved from GitHub or git history before it is processed for summarization.
- [COMMAND_EXECUTION] (LOW): The skill utilizes local system commands (
gitandgh) to perform its intended function. While these are powerful tools, their usage here is restricted to information gathering from the current repository and does not involve arbitrary execution of untrusted code or scripts.
Recommendations
- AI detected serious security threats
Audit Metadata