changelog-audit
Warn
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs extensive shell operations using
git(rev-parse, show, tag, worktree, switch, status, log) andnvidia-smito manage and inspect the repository environment. It also executes repository-local build scripts likebuild_lib.pyviauv run. - [REMOTE_CODE_EXECUTION]: In Phase 3a, the skill is instructed to generate standalone Python scripts in
/tmp/based on claims found in theCHANGELOG.md. These scripts are then executed usinguv run. This creates a runtime code execution capability where the executed logic is derived from external text entries. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
- Ingestion points: Reads
CHANGELOG.mdbullets,VERSION.md, andwarp/config.pyas primary inputs (SKILL.md Phase 1, Phase 2, Phase 3). - Boundary markers: None explicitly mentioned or implemented for isolating or delimiting changelog content during analysis.
- Capability inventory: Performs subprocess calls for
git,gh, anduv run. It has file write access toCHANGELOG.mdand generates temporary scripts in/tmp/(SKILL.md Phase 3a, Phase 5, Phase 6). - Sanitization: No specific sanitization, escaping, or validation of changelog content is described before it is used to generate verification scripts or rewritten prose.
Audit Metadata