software-manual
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill downloads third-party libraries (marked.js, highlight.js) from
unpkg.comusingcurlas specified inscripts/bundle-libraries.md. It also triggers downloads of documentation tools likepdocandtypedoc-plugin-markdownfrom public registries. - COMMAND_EXECUTION (MEDIUM): The skill frequently uses the
Bashtool andsubprocess.runto execute shell commands for environment setup and document generation. Evidence includesnpm install,pip install, and starting the local development server (npm run dev) for automated screenshots inphases/04-screenshot-capture.md. - REMOTE_CODE_EXECUTION (MEDIUM): The script
scripts/extract_apis.pyuses dynamic imports to load the user's backend application code (e.g.,from app.main import app) to generate OpenAPI schemas. This allows arbitrary code from the project being documented to run in the agent's context. - PROMPT_INJECTION (LOW): This skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted source code and metadata from the local project directory and interpolates it into prompts for the
universal-executorandcli-explore-agentsub-agents. - Ingestion points: Files like
package.json,README.md, and source files undersrc/**are read inphases/03-parallel-analysis.md. - Boundary markers: None identified in the prompt templates.
- Capability inventory: Sub-agents have the ability to read and write files to the disk and potentially execute code via the shell.
- Sanitization: There is no evidence of sanitization or escaping of external project content before it is processed by the LLM.
Audit Metadata