asc-whats-new-writer
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from git history and user input to generate release notes.
- Ingestion points: Git log output (
git log ...), user bullet points, and conversational text input in SKILL.md. - Boundary markers: The skill does not define clear boundaries or provide instructions to the agent to treat the processed data as potentially malicious instructions.
- Capability inventory: The agent is instructed to execute
gitandascCLI commands (in SKILL.md), including uploading data to App Store Connect. - Sanitization: No sanitization or escaping mechanisms are specified for the input data before it is used to generate the
asccommand parameters. - [COMMAND_EXECUTION]: The skill constructs shell commands that incorporate text generated from external sources, presenting a risk of command injection.
- Evidence: Instructions in Phase 4 of SKILL.md describe running
asc apps info edit --whats-new "..."where the content is derived from git logs. - Context: While the skill includes a manual approval step (
Step 2: Wait for Approval), the lack of programmatic sanitization instructions for the LLM remains a structural weakness.
Audit Metadata