release-notes
Warn
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: In
lib/bump-version.cjs, theserviceargument (provided via command-line flags) is interpolated directly into a shell command string executed byexecSyncwithout sanitization. Although the variable is enclosed in double quotes within the shell string, techniques such as command substitution (e.g.,$(...)) or backticks could be used to execute arbitrary commands if an attacker can influence the service name input. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from git commit history and processes it using an LLM.
- Ingestion points: Commit subjects and bodies are parsed from the repository's git log in
lib/parse-commits.cjsand passed through the processing pipeline. - Boundary markers: No explicit delimiters, XML tags, or instructions to ignore embedded commands are present when content is passed to the LLM in
lib/transform-llm.cjs. - Capability inventory: The skill has access to shell command execution (
execSync), file system writes, and external network communication viahttps.request. - Sanitization: While
lib/utils.cjsprovides markdown escaping, this only prevents formatting issues and does not neutralize malicious instructions embedded in the commit text, allowing them to influence the LLM transformation logic. - [DATA_EXFILTRATION]: The
lib/transform-llm.cjsscript transmits release notes content to the Anthropic API (api.anthropic.com) for processing. This represents a network flow of project metadata, including commit descriptions and contributor names, to an external service.
Audit Metadata