agent-skill-deploy
Warn
Audited by Gen Agent Trust Hub on Jun 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's deployment workflow in
SKILL.md(Step 9) instructs the agent to execute a shell command:echo '{{CHANGELOG}}' > /tmp/release-notes.md. This is a classic command injection pattern. Because theCHANGELOGcontent is generated from git commit history (analyzed indeploy-analyze.mjs), a malicious commit message containing a single quote could terminate the echo string and execute subsequent shell commands. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
- Ingestion points: Untrusted data enters the agent context via git logs (commit messages) and skill metadata files within the repository being deployed.
- Boundary markers: No specific boundary markers or 'ignore embedded instructions' warnings are used when the agent processes or interpolates the changelog content.
- Capability inventory: The skill scripts (
deploy-execute.mjs) have the capability to execute shell commands (execSync) for git operations and GitHub CLI releases, and can perform file system writes across the repository. - Sanitization: There is no evidence of sanitization or escaping for the changelog content before it is interpolated into shell commands in Step 9.
Audit Metadata