Skills
skills/404kidwiz/claude-supercode-skills/build-engineer/Gen Agent Trust Hub

build-engineer

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION] (HIGH): Vulnerable to indirect prompt injection via the processing of project requirements.
  • Ingestion Points: CLI arguments (port, framework, language, api_proxy) in scripts/config_vite.py and scripts/config_webpack.py are used to populate configuration templates.
  • Boundary Markers: None. Untrusted input is directly interpolated into template strings.
  • Capability Inventory: The scripts write .js and .ts files to the filesystem, which are executed as part of the software build process.
  • Sanitization: Absent. There is no escaping or validation of input before it is written to executable files.
  • [COMMAND_EXECUTION] (HIGH): The skill can be tricked into generating malicious build configurations.
  • Evidence: In scripts/config_vite.py, the api_proxy parameter is placed inside a string literal in the generated vite.config.ts. A crafted payload could use quote-breaking (e.g., ', onProxyReq: () => { ... }, ') to inject arbitrary JavaScript logic into the build server.
  • [LOW] (INFO): Code quality issue in scripts/config_webpack.py.
  • Evidence: Line 25 contains an f-string { BundleAnalyzerPlugin } which refers to an undefined Python variable, causing the script to crash with a NameError rather than generating a valid config.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 10:42 PM