Skills
skills/fellipeutaka/leon/denji/Gen Agent Trust Hub

denji

Warn

Audited by Gen Agent Trust Hub on Mar 7, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The Denji CLI supports lifecycle hooks (e.g., preAdd, postAdd, postRemove) that execute arbitrary shell commands specified in the denji.json configuration file. This functionality can be used to execute arbitrary code if the configuration file is influenced by an attacker.
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to fetch and execute the denji package from the npm registry at runtime. It also references an external JSON schema hosted at https://denji-docs.vercel.app/configuration_schema.json.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via the project configuration.
  • Ingestion points: The denji.json file, which may be initialized or updated based on untrusted project files or user instructions.
  • Boundary markers: None; the tool does not provide warnings or delimiters when executing commands from the configuration.
  • Capability inventory: The skill allows execution of npx denji commands via the Bash tool, which can trigger any command defined in the hooks section of the config.
  • Sanitization: No sanitization or validation is performed on the shell commands defined within the configuration hooks.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 7, 2026, 03:33 AM