sillytavern-extension-builder
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The
scripts/scaffold_extension.shscript executes shell commands (mkdir,cp,sed) using variables derived directly from user input (e.g.,EXT_SLUG). - Evidence: The script uses
mkdir -p "$TARGET_DIR"whereTARGET_DIRis constructed from a user-provided root and slug. A malicious slug like../../../tmp/poccould enable path traversal. - Risk: Unauthorized file system writes or overwriting critical system/application files.
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its core function of converting untrusted user input into executable assets.
- Ingestion points: User requirements for extension names, authors, and behavioral logic processed in
SKILL.mdand passed toscripts/scaffold_extension.sh. - Boundary markers: Absent. There are no delimiters or instructions to prevent the agent from obeying embedded instructions within user-provided metadata.
- Capability inventory: Direct filesystem write access via bash scripts and the generation of JavaScript code intended for execution in a web environment.
- Sanitization: The
escape_sedfunction in the shell script only escapes/and&. It does not sanitize shell metacharacters or JavaScript-specific injection strings. - [DYNAMIC_EXECUTION] (MEDIUM): The provided templates (
assets/templates/extension-slash/index.js) incorporate dynamic module loading. - Evidence: The
importFromUrlfunction usesawait import(url)to load dependencies at runtime. - Risk: While the template currently uses hardcoded local paths, the pattern facilitates dynamic loading which could be exploited to load remote malicious scripts if the URL generation is compromised.
Recommendations
- AI detected serious security threats
Audit Metadata