make-changelog
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands via
gitand a local Python script (list_ranges.py). These operations use safe execution patterns (list-based arguments) to prevent shell injection. While the skill accepts git reference names (tags) as input, these are sourced from the local repository state rather than direct user input. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to the processing of untrusted content from the repository's git history.
- Ingestion points: Commit messages retrieved via
git logand version tags are passed into the prompt of Haiku subagents in Step 4. - Boundary markers: The subagent prompt lacks explicit delimiters or instructions to ignore instructions embedded within the commit messages, relying instead on high-level task descriptions.
- Capability inventory: The subagents are configured for text generation tasks and do not have access to sensitive tools or external network capabilities; their primary output is markdown content for the changelog.
- Sanitization: There is no evidence of sanitization or filtering of commit messages or tag names before they are interpolated into the subagent prompts.
Audit Metadata