changelog-updater
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. The skill is vulnerable to instructions embedded in external data it processes (git metadata and file contents).
- Ingestion points: Untrusted data enters via
get_changed_files()(which retrieves git diffs/commit messages) andread_file("CHANGELOG.md"). - Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands in the diff data.
- Capability inventory: Includes
read_file,get_changed_files, andreplace_string_in_file(file modification). - Sanitization: Absent. There is no logic to filter or escape instructions within the commit messages before they are processed by the LLM.
- [DATA_EXFILTRATION] (SAFE): No network operations (curl, wget, fetch) or access to sensitive file paths (e.g., .ssh, .aws, .env) were detected.
- [REMOTE_CODE_EXECUTION] (SAFE): No remote code downloads, package installations, or dynamic execution patterns (eval, exec) are present.
Audit Metadata