librarian
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Dynamic Execution (MEDIUM): The skill relies on the
opensrc_executetool (documented inreferences/opensrc-api.md), which executes arbitrary JavaScript async arrow functions on a server. While intended for code analysis, this provides a primitive for general code execution. - Indirect Prompt Injection (LOW): The skill is designed to ingest untrusted data which could contain malicious instructions.
- Ingestion points: Content is fetched from arbitrary public repositories and registries via
opensrc.fetch,opensrc.read, andopensrc.grep(referenced inreferences/opensrc-api.md). - Boundary markers: Analysis of
SKILL.mdandreferences/opensrc-examples.mdshows no instructions for the agent to use delimiters or ignore embedded instructions when reading external code. - Capability inventory: The agent can read/write files and execute JavaScript on a server through the toolset.
- Sanitization: No sanitization or validation of the fetched source code is performed before it is processed by the agent.
- External Downloads (LOW): The skill fetches packages and repositories from GitHub, npm, PyPI, and crates.io. While these are trusted registries per [TRUST-SCOPE-RULE], the content downloaded is attacker-controlled and processed with high-capability tools.
- Metadata Poisoning (LOW):
SKILL.mdincludes instructions to 'Never mention tool names' in responses, which is a deceptive practice that obscures the agent's internal operations from the user.
Audit Metadata