recoup-release-campaign
Pass
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes a local script
scripts/build_campaign_timeline.pyusingpython3. This utility is part of the skill package and uses only Python standard library modules. - [COMMAND_EXECUTION]: The skill instructions specify a target file path containing shell command substitution:
campaign-$(date +%F).md. This may encourage the agent to use shell environments when performing file operations. - [COMMAND_EXECUTION]: The skill has an indirect prompt injection surface where user-supplied inputs (e.g., artist names, release types) are interpolated into script arguments and file paths. There are no boundary markers or sanitization instructions to prevent adversarial input from influencing command execution.
Audit Metadata