joplin-plugin-writer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: Processes untrusted user requirements for new features and reads existing plugin code (src/index.ts) and metadata (manifest.json).
- Boundary markers: No boundary markers or 'ignore' instructions are present to separate user input from agent logic.
- Capability inventory: Possesses significant capabilities including shell command execution (npm, yo) and file system modification.
- Sanitization: No sanitization or validation of user-provided content is performed before generating code or execution steps. A malicious requirement could lead to the generation of a plugin with a harmful postinstall script or compromised webpack configuration.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill promotes a 'download then execute' pattern by installing global packages ('yo' and 'generator-joplin') and running them immediately. Because these sources are not in the trusted list, this poses a high risk of executing malicious code if a registry or package is compromised.
- [EXTERNAL_DOWNLOADS] (MEDIUM): Downloads external packages from the public npm registry that are not verified against the trusted source list.
- [COMMAND_EXECUTION] (MEDIUM): Frequently executes system-level commands such as 'npm install -g', 'yo joplin', and 'npm run dist' which can impact the host environment.
Recommendations
- AI detected serious security threats
Audit Metadata