changelog-draft
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The Python scripts included in the skill (fetch_prs.py, classify_contributors.py, fetch_issue_reporters.py) use the subprocess module to run git and GitHub CLI (gh) commands. These operations are used to retrieve commit logs, pull request details, and issue reporter information. The arguments for these commands, such as repository names and release tags, are derived from user input or skill instructions. These are executed as lists, which is a standard safety practice to prevent shell injection.
- [PROMPT_INJECTION]: The skill processes external, untrusted content from GitHub pull request titles, bodies, and issue descriptions. This presents an indirect prompt injection surface where a malicious contributor could attempt to influence the agent's summarization or classification logic by embedding instructions in PR metadata.
- Ingestion points: Pull request metadata (title, body, labels) and issue details (title, author) are fetched from GitHub via the gh CLI in fetch_prs.py and fetch_issue_reporters.py.
- Boundary markers: The skill uses structured JSON to manage fetched data, but the natural language content is subsequently processed to generate changelog entries.
- Capability inventory: The skill executes local shell commands (via git and gh) and writes JSON/Markdown artifacts to a local output directory.
- Sanitization: fetch_prs.py implements basic sanitization by stripping HTML comments from PR bodies to prevent template placeholders from being misinterpreted as changelog markers.
Audit Metadata