Trust Assessment
release-gen received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Prompt Injection via Git Commit Messages, Command Injection via LLM-Generated Git Tag Arguments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection via Git Commit Messages User-controlled git commit messages are directly embedded into the LLM's user prompt without sanitization or validation. An attacker could craft malicious commit messages containing instructions (e.g., 'ignore previous instructions', 'reveal system information') to manipulate the LLM's behavior, potentially leading to unintended actions, data leakage, or generation of harmful content. Implement robust sanitization and validation of user-controlled `commits` before passing them to the LLM. Consider techniques like strict input parsing to extract only relevant information, escaping special characters, or using a 'safety wrapper' around user input in the prompt (e.g., 'User commits start here: ---{commits}--- User commits end here.'). | LLM | src/index.ts:45 | |
| HIGH | Command Injection via LLM-Generated Git Tag Arguments The `version` and `notes` generated by the LLM are directly used as arguments to `git.addAnnotatedTag()`. If the LLM is successfully prompted to generate malicious strings (e.g., containing shell metacharacters or git command injection payloads), it could potentially lead to arbitrary command execution on the host system, depending on `simple-git`'s sanitization and the underlying `git` command's behavior. Strictly validate the format of the LLM-generated `version` (e.g., using a regex for `x.y.z`) and sanitize `notes` (e.g., remove shell metacharacters, limit length) before passing them to `simple-git`. Ensure the process running the skill operates with the principle of least privilege. | LLM | src/index.ts:52 | |
| MEDIUM | Unpinned npm dependency version Dependency 'commander' is not pinned to an exact version ('^12.1.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/lxgicstudios/release-gen/package.json | |
| INFO | Access to OpenAI API Key The skill explicitly requires the `OPENAI_API_KEY` environment variable for its operation. While necessary for an OpenAI-powered skill, this highlights the presence and usage of a sensitive credential. The provided code does not appear to exfiltrate this key. Ensure the `OPENAI_API_KEY` is managed securely (e.g., environment variables, secret management systems) and never hardcoded or logged. Follow best practices for API key rotation and access control. | LLM | SKILL.md:60 | |
| INFO | Unpinned Dependencies in package.json The `package.json` uses caret (`^`) ranges for dependencies, allowing minor and patch updates automatically. While common, this introduces a risk where a malicious or vulnerable version of a dependency could be pulled in without explicit review, potentially leading to new vulnerabilities. Consider pinning dependencies to exact versions (e.g., `12.1.0` instead of `^12.1.0`) or regularly auditing dependencies for known vulnerabilities. Ensure `package-lock.json` is committed and used for consistent builds. | LLM | package.json:9 |
Scan History
Embed Code
[](https://skillshield.io/report/a01a5694d4da03d5)
Powered by SkillShield