next-upgrade
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructions direct the agent to run 'npx', 'npm install', and 'npm run', which allow for arbitrary command execution and modification of the local development environment.
- [REMOTE_CODE_EXECUTION] (HIGH): The command 'npx @next/codemod@latest' downloads and executes remote code from the npm registry at runtime. Even when using trusted packages, this pattern is a high-risk vector for supply chain attacks.
- [EXTERNAL_DOWNLOADS] (LOW): The skill fetches packages from the npm registry and documentation from nextjs.org. Per the TRUST-SCOPE-RULE, these are downgraded to LOW due to the trusted nature of the providers (Vercel/npm), though they remain external dependencies.
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). 1. Ingestion points: Documentation fetched from nextjs.org. 2. Boundary markers: Absent. 3. Capability inventory: Command execution (npx, npm) and local file access. 4. Sanitization: None. If the documentation source were compromised, the agent could be manipulated into executing malicious commands during the 'review' or 'test' steps.
Recommendations
- AI detected serious security threats
Audit Metadata