developer-experience
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted external data (project files, READMEs, and configurations) and has the capability to generate and execute side-effect-heavy scripts. \n
- Ingestion points: Processes existing project workflows and files via commands like 'Analyze the development workflow'. \n
- Capability inventory: Generates and suggests execution of 'setup.sh', 'Makefile', 'package.json' scripts, and VS Code tasks. \n
- Boundary markers: None identified; the agent lacks delimiters to separate project content from system instructions. \n
- Sanitization: No evidence of filtering or validating content from the target repository before incorporating it into executable scripts. \n- [Persistence & Shell Modification] (MEDIUM): The skill explicitly encourages modifying user shell configuration files. \n
- Evidence: Recommends adding aliases to '
/.zshrc' or '/.bashrc' (Example 2). \n - Risk: Automated modification of shell profiles is a common persistence vector for malicious actors to ensure unauthorized code runs in every new terminal session. \n- [Execution of Untrusted Content] (MEDIUM): The skill promotes a 'one-command setup' pattern which often involves running scripts with high privileges. \n
- Evidence: Encourages 'bash setup.sh' and 'npm install' as standard onboarding steps. \n
- Risk: If the agent generates these scripts based on a poisoned project context, it facilitates Remote Code Execution on the user's host.
Recommendations
- AI detected serious security threats
Audit Metadata