hile-cli
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill implements dynamic loading and execution of local code and modules. It uses the
import()function on paths that are determined at runtime by scanning the file system or reading the project'spackage.jsonfile. - Evidence: In
src/index.ts, the skill resolves directories and performs globbing to find**/*.boot.{ts,js}files, which are then imported and executed. It also imports modules listed in thehile.auto_load_packagesconfiguration. This behavior allows for the execution of code that is not part of the skill itself. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it processes data from external sources (the local file system and
package.json) and uses it to perform powerful actions like code execution. - Ingestion points: The
package.jsonconfiguration file and any file matching the**/*.boot.{ts,js}pattern. - Boundary markers: None. The skill does not implement delimiters or safety instructions to distinguish between trusted and untrusted content in these files.
- Capability inventory: The skill can dynamically import modules and execute code, and it can load environment variables into the process using
process.loadEnvFile(). - Sanitization: While the skill checks if the imported content is a 'service' using
isService(), it does not validate the integrity or safety of the code being imported.
Audit Metadata