knip
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): This skill has a high-risk attack surface as it processes untrusted data (the project's codebase) and possesses destructive capabilities. 1. Ingestion points: Project source files and configuration (package.json). 2. Boundary markers: None present. 3. Capability inventory: File deletion (via 'npx --allow-remove-files' or 'rm'), dependency removal (via 'npm' or 'package.json' edits), and general file editing. 4. Sanitization: None. A malicious codebase could be crafted to produce tool output that tricks the agent into 'high confidence' automatic deletion of critical files.
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill triggers 'npm install -D knip' and 'npx knip'. This downloads and executes code from the public npm registry. While npm is a standard source, this introduces a supply-chain risk if the package or its sub-dependencies are compromised.
- [Dynamic Execution] (MEDIUM): The skill uses 'npx' to execute downloaded packages at runtime, which is a form of dynamic code execution on the local environment.
- [Command Execution] (HIGH): The instructions explicitly permit 'Auto-delete (high confidence)' operations and automated fixes using '--allow-remove-files' without user intervention, bypassing human-in-the-loop safety checks for destructive filesystem operations.
Recommendations
- AI detected serious security threats
Audit Metadata