xerahs-release-bump-tag
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill performs repository updates and submodule synchronization using 'git pull' and 'git submodule update'. These operations target GitHub, a trusted and well-known service.
- [COMMAND_EXECUTION]: Utilizes system commands including 'git', 'gh' (GitHub CLI), and 'dotnet' to orchestrate the release lifecycle, manage repository state, and verify project builds.
- [PROMPT_INJECTION]: An indirect prompt injection surface (Category 8) is present. Ingestion points: The skill retrieves external data by fetching GitHub Action logs with 'gh run view --log' and reading existing release bodies with 'gh release view'. Boundary markers: No delimiters or 'ignore instructions' warnings are implemented for the ingested external data. Capability inventory: The agent has the ability to execute 'git push', 'gh release edit', and 'dotnet build'. Sanitization: There is no evidence of sanitization or filtering applied to the log content before it is processed by the agent.
Audit Metadata