typst-author
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The
SKILL.mdfile instructs the agent to 'Validate the generated Typst by runningtypst compile'. Executing system commands on content that can be influenced by user input is a high-severity risk. - [PROMPT_INJECTION] (HIGH): The skill has a high Indirect Prompt Injection (IPI) surface (Category 8). Evidence: 1. Ingestion points:
SKILL.mdspecifies editing 'existing Typst files'. 2. Boundary markers: Absent. 3. Capability inventory:typst compile(subprocesses mentioned inSKILL.md), and powerful Typst functions documented in thedocs/folder such asread/csv/json(file-read capabilities indocs/reference/data-loading/) andplugin(WASM execution indocs/reference/foundations/plugin.md). 4. Sanitization: Absent. A malicious Typst file could contain instructions that exploit these capabilities to exfiltrate data or hijack the agent's logic. - [REMOTE_CODE_EXECUTION] (MEDIUM): Typst's
plugin()function allows loading WebAssembly modules. An agent induced to compile a document referencing a malicious WASM plugin could execute arbitrary code within the Typst environment. - [DATA_EXFILTRATION] (MEDIUM): Typst functions like
read()andcsv()can be used to access local files. This creates a risk of exposing sensitive data if a malicious document is compiled.
Recommendations
- AI detected serious security threats
Audit Metadata