agent-skill-deploy

Warn

Audited by Gen Agent Trust Hub on Jun 28, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's deployment workflow in SKILL.md (Step 9) instructs the agent to execute a shell command: echo '{{CHANGELOG}}' > /tmp/release-notes.md. This is a classic command injection pattern. Because the CHANGELOG content is generated from git commit history (analyzed in deploy-analyze.mjs), a malicious commit message containing a single quote could terminate the echo string and execute subsequent shell commands.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
  • Ingestion points: Untrusted data enters the agent context via git logs (commit messages) and skill metadata files within the repository being deployed.
  • Boundary markers: No specific boundary markers or 'ignore embedded instructions' warnings are used when the agent processes or interpolates the changelog content.
  • Capability inventory: The skill scripts (deploy-execute.mjs) have the capability to execute shell commands (execSync) for git operations and GitHub CLI releases, and can perform file system writes across the repository.
  • Sanitization: There is no evidence of sanitization or escaping for the changelog content before it is interpolated into shell commands in Step 9.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 28, 2026, 12:46 AM
Security Audit — agent-trust-hub — agent-skill-deploy