markdesk-setup
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill clones a repository from an unverified source (
https://github.com/charlieclark/markdesk.git) and proceeds to runnpm install. This is a high-risk pattern because thepackage.jsonin the untrusted repository could contain malicious lifecycle scripts (e.g.,preinstall,postinstall) that execute arbitrary commands on the user's system. - [EXTERNAL_DOWNLOADS] (HIGH): The skill downloads a complete project template from a non-trusted GitHub account (
charlieclark). Per the security framework, unverified downloads followed by execution carry a High severity rating. - [COMMAND_EXECUTION] (MEDIUM): The skill executes shell commands (
git clone,rm -rf,npm install) using parameters gathered from the user. This exposes the system to command injection if the user-provided inputs (like the directory name) are not strictly validated. - [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: User input gathered via
AskUserQuestionin Step 1 (Project directory name, Brand name, etc.). - Boundary markers: Absent. User input is interpolated directly into shell scripts and TypeScript configuration files without delimiters.
- Capability inventory: The skill has significant capabilities including shell command execution (
git,rm,npm), and file system write access (markdesk.config.ts,.env,README.md). - Sanitization: Absent. There is no evidence of input validation or shell escaping for the
<directory-name>or other user-provided strings before they are used ingit cloneorcdcommands.
Recommendations
- AI detected serious security threats
Audit Metadata