changelog
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from GitHub Pull Request titles and descriptions.
- Ingestion points: Pull Request metadata and descriptions are fetched via the GitHub CLI (gh) tool.
- Boundary markers: Absent; the instructions do not specify delimiters or guidelines to treat PR content strictly as data or to ignore embedded instructions.
- Capability inventory: Includes Bash for command execution (GitHub CLI) and Write for filesystem operations to create the changelog file.
- Sanitization: No validation or sanitization of the retrieved PR content is performed before processing, allowing potential injection attacks embedded in PR text to reach the agent's context.
Audit Metadata