turborepo-caching
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The Node.js Express template for self-hosted caching is vulnerable to Path Traversal.
- Evidence: In Template 4, the GET route uses req.query.teamId and req.params.hash in path.join() without sanitization, allowing arbitrary file reads outside the intended cache directory.
- [REMOTE_CODE_EXECUTION]: The self-hosted cache server template allows arbitrary file writes via an unvalidated path construction.
- Evidence: The PUT route uses unsanitized user input (teamId and hash) to determine the file destination, which could be exploited to overwrite sensitive system files or scripts.
- [COMMAND_EXECUTION]: The skill includes shell command templates for project management and CI/CD pipelines.
- Evidence: Includes examples for npx turbo, npm ci, and turbo build commands for local and remote environments.
Audit Metadata