changelog-generator
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill is susceptible to Indirect Prompt Injection because its core function is to process untrusted external data (git commit messages).
- Ingestion points: Git commit history (SKILL.md, 'What This Skill Does' section 1).
- Boundary markers: None identified; commit messages are interpolated directly into the LLM context for categorization and translation.
- Capability inventory: Implied read access to the local filesystem (git repository) and ability to output text that may be saved to files (CHANGELOG.md).
- Sanitization: No sanitization or escaping of commit content is described. A malicious contributor could craft a commit message containing instructions to override the agent's behavior or leak information into the generated output.
- COMMAND_EXECUTION (LOW): The skill implies the execution of git commands (e.g.,
git log) to retrieve history. While these are standard tools, the agent must be restricted from executing arbitrary shell commands provided within those git logs.
Audit Metadata