pinescript
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The script
scripts/pinescript_lint.mjsis vulnerable to command injection. It useschild_process.spawnwithshell: trueon a command string constructed by concatenating thePINESCRIPT_LINT_CMDenvironment variable and user-provided command-line arguments without any sanitization. An attacker could exploit this by providing malicious input (e.g.,; rm -rf /) to execute arbitrary shell commands. - EXTERNAL_DOWNLOADS (MEDIUM): The skill performs unverified downloads and execution of remote code through its default use of
npx --yes pinescript-lint. The--yesflag instructs npx to download and execute the package from the npm registry without prompting for confirmation, introducing a supply chain risk. - REMOTE_CODE_EXECUTION (HIGH): The combination of shell execution and the ability to download/execute arbitrary packages at runtime creates a high-severity remote code execution vector.
Recommendations
- AI detected serious security threats
Audit Metadata