mockoon-cli
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires installing and running the mockoon-cli command-line tool as a global npm package.
- [EXTERNAL_DOWNLOADS]: Users are instructed on how to load mock environments directly from remote URLs using the --data flag in the start command.
- [DATA_EXFILTRATION]: The Handlebars-based templating engine includes a getEnvVar helper that allows mock responses to access and serve local environment variables, which could lead to the exposure of sensitive secrets if the mock server is misconfigured.
- [PROMPT_INJECTION]: The skill identifies an indirect prompt injection surface where the agent is instructed to ingest untrusted mock definitions from arbitrary URLs, potentially allowing an attacker to craft responses that attempt to extract environment variables or influence the agent's behavior through served data.
Audit Metadata