Skills
skills/davila7/claude-code-templates/lint-and-validate/Gen Agent Trust Hub

lint-and-validate

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The scripts/lint_runner.py script executes commands via subprocess.run that are derived from the project's configuration. Specifically, it runs npm run lint, which executes whatever command is defined in the scripts section of package.json. Evidence: Ingestion point: package.json parsing in detect_project_type. Capability: subprocess.run in run_linter. Sanitization: None.
  • [PROMPT_INJECTION] (HIGH): Category 8: Indirect Prompt Injection. The skill processes untrusted external project files and provides a direct execution path for commands found within those files. There are no boundary markers or instructions to ignore embedded commands in the processed data.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill uses npx for eslint and tsc. These tools can download and execute packages from the public npm registry at runtime, which poses a risk of executing malicious or compromised packages.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 08:31 PM