app-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted natural language requests from users to orchestrate application builds. This creates a significant attack surface for indirect prompt injection.
- Ingestion points: Natural language requests (e.g., 'Make an Instagram clone') processed by the orchestrator (SKILL.md).
- Boundary markers: None identified. There are no delimiters or instructions to treat user content as data only.
- Capability inventory: Access to
Bash,Write,Edit, andAgenttools allows for direct system interaction. - Sanitization: No evidence of sanitization or validation of the input before it is used to generate logic or execute commands.
- Command Execution (HIGH): The skill is explicitly allowed to use the
Bashtool. In the absence of strict input controls, this allows the agent to execute arbitrary shell commands if tricked by a malicious prompt. - Metadata Poisoning (MEDIUM): The skill's description and role as a 'Main application building orchestrator' may lead users or other agents to grant it excessive permissions without realizing the underlying vulnerability to injected instructions.
Recommendations
- AI detected serious security threats
Audit Metadata