release-management
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies heavily on the execution of shell commands through the
Bashtool and Python'ssubprocessmodule. These commands are used to manage git tags, branches, and interact with the GitHub CLI (gh) for release creation and asset management. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes data that can be controlled by external actors, such as commit messages and pull request titles.
- Ingestion points: Commit subjects and bodies are ingested via
git loginscripts/version-manager.pyandscripts/release-scripts.shto generate changelogs and release notes. - Boundary markers: No boundary markers or 'ignore' instructions are used to separate untrusted commit data from the agent's instructions during processing.
- Capability inventory: The skill possesses significant capabilities, including arbitrary command execution (
Bash), file modification (Write,Edit), and network communication through the GitHub CLI. - Sanitization: There is no evidence of sanitization or escaping of the content retrieved from git logs before it is interpolated into prompts or used in CLI arguments.
- [DYNAMIC_CONTEXT_INJECTION]: The
scripts/create-release.mdfile uses the!syntax to execute shell commands (e.g.,git describe,git log,git diff) at the moment the skill is loaded. While these commands are used to populate metadata for the release process, they represent silent, automatic code execution upon accessing the skill.
Audit Metadata