release
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill performs sensitive operations including
npm publish,git push origin, andgh release create. These commands have irreversible external side effects and require high-privilege authentication tokens (NPM_TOKEN, GITHUB_TOKEN) to be present in the execution environment. There are no human-in-the-loop confirmation steps defined in the workflow. - [REMOTE_CODE_EXECUTION] (HIGH): The instruction to run
npm run test:runexecutes arbitrary shell scripts defined in the localpackage.json. In the context of an automated release workflow, this creates a supply chain risk where a malicious contribution could execute code on the runner or developer machine during the release process. - [PROMPT_INJECTION] (HIGH): This skill exhibits a significant Indirect Prompt Injection surface (Category 8). It ingests untrusted data in the form of
<title>and<release notes>, which are typically sourced from external PR descriptions or commit histories. Because the skill possesses 'Write/Execute' capabilities (publishing and tagging), the lack of boundary markers or sanitization allows an attacker to influence the agent's behavior during the release process by embedding instructions in commit metadata. - [DATA_EXFILTRATION] (LOW): While not explicitly exfiltrating data, the
npm publishcommand by design uploads the entire package content to a public registry. If sensitive files (like.envor SSH keys) are not properly excluded via.npmignore, they will be publicly exposed.
Recommendations
- AI detected serious security threats
Audit Metadata