app-builder
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill possesses a significant attack surface as it ingests untrusted user requests to determine project types and tech stacks, which are then interpolated into execution templates.
- Ingestion points: User project descriptions are tokenized in
project-detection.md. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands in the user input are provided in the skill files.
- Capability inventory: The specialist agents (coordinated in
agent-coordination.md) have capabilities for file system modification, package installation (npm,pip), and database operations (prisma). - Sanitization: No evidence of sanitization or validation of the
{{name}}or project type tokens before being passed to terminal commands. - [Unverifiable Dependencies] (LOW): Multiple templates (e.g.,
python-fastapi/TEMPLATE.md,nextjs-saas/TEMPLATE.md) suggest installing packages and running remote scripts vianpx,npm install, andpip installwithout version pinning. This could lead to the execution of malicious or incompatible code if an attacker manipulates the tech stack selection. - [Command Execution] (LOW): The skill provides instructions for the agent to execute shell commands such as
npx create-next-app,npm publish, andalembic upgrade. While these are standard developer tools, they represent a privilege tier that requires user oversight when triggered by automated planning.
Audit Metadata