icp-appgen
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill's GitHub Action templates in
assets/workflows/(build.yml, deploy.yml, and test.yml) use a piped remote execution pattern (curl | sh) to install the Dfinity SDK frominternetcomputer.org. Since this domain is not included in the pre-approved trusted source list, this constitutes a high-risk external dependency. - REMOTE_CODE_EXECUTION (HIGH): Piped remote execution is a critical vulnerability surface. Furthermore, an automated scanner (URLite) detected a blacklisted URL within the
main.rsstructure that this skill manages and deploys. - COMMAND_EXECUTION (MEDIUM): Multiple Python utility scripts (e.g.,
deploy.py,test.py) execute system commands using thesubprocessmodule. These commands use project-specific parameters, which could lead to shell injection if canister or project names are maliciously crafted. - DYNAMIC_EXECUTION (HIGH): The skill generates Motoko, Rust, and TypeScript code by interpolating user-provided strings into templates without proper sanitization. This allows for arbitrary code injection into the generated canisters during the scaffolding process.
- INDIRECT_PROMPT_INJECTION (LOW): \n
- Ingestion points: User-controlled project names, canister names, and symbols passed to
add-canister.pyandadd-token.py.\n - Boundary markers: None are present in the generated code templates to prevent the LLM or build system from executing instructions embedded in these strings.\n
- Capability inventory: The skill possesses filesystem write access and the ability to execute shell commands via the
dfxtool.\n - Sanitization: Input strings undergo minimal transformation (such as
.title()), which is insufficient to sanitize against malicious code or script injection into the generated project files.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata