app-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core purpose is to process untrusted natural language requests to drive complex actions.
- Ingestion points: Processes 'natural language requests' to determine project structure and execution logic.
- Boundary markers: None. There are no instructions to the agent to treat user-provided project specs as data rather than instructions.
- Capability inventory: Possesses high-privilege tools including
Bash,Write,Edit, andAgent(ability to spawn/control other agents). - Sanitization: No evidence of sanitization or validation of the requirements before they influence tool usage.
- [Command Execution] (HIGH): The skill explicitly enables the
Bashtool. While necessary for its stated purpose of building apps, the combination of shell access and untrusted input allows an attacker to execute arbitrary commands on the host system by embedding them in a project request (e.g., 'Build an app that runs [malicious command]').
Recommendations
- AI detected serious security threats
Audit Metadata