semantic-release-tagger
Pass
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill extensively uses shell commands (git, gh, jq) to perform repository analysis, tag creation, and release publishing. This is consistent with its stated purpose as a release management tool.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from the repository's git history (commit messages and tag names).\n
- Ingestion points: Commit messages retrieved via git log and tag names retrieved via git tag (see workflow/phase-0-auto-analysis.md and workflow/phase-4-github-release.md).\n
- Boundary markers: No explicit boundary markers or instructions are provided to help the agent distinguish between its instructions and the data being processed.\n
- Capability inventory: The agent has the capability to execute shell commands and write to the file system (e.g., creating GitHub Action workflows).\n
- Sanitization: There is no evidence of data sanitization or escaping before untrusted strings are interpolated into shell commands or displayed to the user.\n
- Mitigation: The skill incorporates a Human-in-the-Loop pattern, requiring explicit user approval at Phase 3 (Tag Creation) and Phase 4 (GitHub Release), which prevents automated exploitation of these injection vectors.
Audit Metadata