Skills
skills/amoscicki/aromatt/payload-cms/Gen Agent Trust Hub

payload-cms

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION] (HIGH): Category 8: Indirect Prompt Injection. The skill is designed to read and display content from a CMS database, which is an untrusted ingestion point.
  • Ingestion points: scripts/payload.js (via find, find-by-id, and schema commands).
  • Boundary markers: None. Data is returned to the agent as raw JSON.
  • Capability inventory: The agent has access to Bash, allowing it to execute arbitrary commands if influenced by malicious data retrieved from the database.
  • Sanitization: None. The skill does not filter or sanitize database content for instructions.
  • [COMMAND_EXECUTION] (MEDIUM): The startServer function in scripts/payload.js uses child_process.spawn to execute pnpm tsx on a local TypeScript file (scripts/server.ts). This launches a persistent background process that remains active for up to 30 minutes of idle time.
  • [EXTERNAL_DOWNLOADS] (LOW): The skill requires the pnpm package manager and the tsx execution engine to be installed on the host system, which are external dependencies not managed by the skill itself.
  • [DATA_EXFILTRATION] (LOW): The skill opens a local HTTP server on 127.0.0.1. While limited to localhost, this exposes a network interface that other local processes could potentially interact with to access database content.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 02:43 AM