moai-cc-configuration
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface.
- Ingestion points: The skill utilizes the
mcp__context7__get-library-docstool to fetch external documentation at runtime, which is then processed to influence configuration architecture. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to disregard potentially malicious instructions embedded within the fetched documentation.
- Capability inventory: The agent is granted high-privilege capabilities including
Bash,Write,Edit, andWebFetch, which could be abused if malicious instructions are successfully injected. - Sanitization: No sanitization or validation logic is shown for the content retrieved via the MCP tools.
- [COMMAND_EXECUTION]: High-Privilege Tool Access. The skill requests the
Bashtool to perform configuration tasks. While this is consistent with an enterprise configuration management role, it grants the agent the ability to execute arbitrary commands on the host system. - [EXTERNAL_DOWNLOADS]: Network Communication and Content Retrieval. The skill leverages
WebFetchand specialized MCP tools to download external data. Additionally, code examples illustrate using thefetchAPI to interact with internal and external services such as HashiCorp Vault and Kubernetes APIs. - [REMOTE_CODE_EXECUTION]: Dynamic Loading from Computed Paths. The TypeScript configuration manager example uses
require(configPath)where the path is dynamically constructed from an environment variable. This pattern can be exploited to load unintended local files if the input is not strictly controlled.
Audit Metadata