release-skills
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): (Category 8: Indirect Prompt Injection) The skill is susceptible to instructions embedded in commit messages used during the release process. 1. Ingestion points: Untrusted commit messages are ingested via 'git log' in Step 1 to categorize changes. 2. Boundary markers: None; there are no delimiters or instructions provided to the agent to treat commit messages as raw data rather than instructions. 3. Capability inventory: The skill has the capability to modify repository files (README.md, CHANGELOG.md, marketplace.json) and execute git commit/tag commands. 4. Sanitization: Absent; the skill interpolates commit text directly into changelogs and uses commit prefixes to programmatically decide version bumps. A malicious actor could craft a commit message that overrides these rules or injects unwanted content into the documentation.
- [COMMAND_EXECUTION] (LOW): The skill utilizes git commands and file system writes to manage the release workflow. While these are necessary for the tool's functionality, they constitute a capability set that can be exploited if the agent is influenced by injected content.
Recommendations
- AI detected serious security threats
Audit Metadata