feature-manifest
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Remote Code Execution (HIGH): The 'allowed-tools' metadata specifies 'Bash(npm:,npx:)'. Allowing 'npx:' grants the capability to download and execute any arbitrary package from the npm registry at runtime, which is a major security risk. Similarly, 'npm:' allows package installations which can execute arbitrary install scripts.\n- Indirect Prompt Injection (HIGH):\n
- Ingestion points: The skill reads YAML manifest files from the local file system (which may contain content from untrusted external contributors).\n
- Boundary markers: No delimiters or 'ignore-instructions' are defined for processing these files.\n
- Capability inventory: The skill has 'Read', 'Write', 'Edit', and 'Bash' tools.\n
- Sanitization: No sanitization is performed on external content. This allows a malicious manifest to potentially hijack the agent's logic.\n- Command Execution (HIGH): Several quick commands use placeholders like '' within shell executions (e.g., 'npm run feature:info -- '). Without strict validation, these are vulnerable to command injection if the agent populates them with malicious shell characters (e.g., ';', '&&').\n- Obfuscation (LOW): The use of '<' in documentation is a minor finding, used for display purposes rather than evasion.
Recommendations
- AI detected serious security threats
Audit Metadata