drupal-update
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection because it fetches external data (changelogs) and processes them while possessing high-privilege capabilities.
- Ingestion points: Release notes and changelogs fetched from drupal.org via the
fetch_changelog.phpscript. - Boundary markers: Absent. The documentation does not specify the use of delimiters or 'ignore' instructions for external content.
- Capability inventory: The skill can modify the project (composer require), execute commands (ddev exec), and update the database.
- Sanitization: Absent. There is no mention of filtering or sanitizing external text before it is presented to the agent's context.
- [COMMAND_EXECUTION] (MEDIUM): The workflow relies on executing complex system commands like
composer update,composer require, andddev exec php. While these are functional requirements for Drupal maintenance, they represent a significant attack surface if the agent's decision-making is subverted by malicious input. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill automatically downloads and applies updates from the Drupal module ecosystem. While this is standard behavior for the tool, it involves executing unverifiable third-party code (composer packages) in the local environment without a pre-installation security audit of the code itself.
Recommendations
- AI detected serious security threats
Audit Metadata