moai-lang-r
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill exposes a critical Indirect Prompt Injection vulnerability surface. It promotes patterns that ingest external, potentially attacker-controlled content without providing safety mechanisms.\n
- Ingestion points: The skill facilitates reading external files via
read_csvand handling web user input via Shiny input reactives (e.g.,selectInput).\n - Boundary markers: No boundary markers, XML-style tagging, or 'ignore instructions' warnings are provided to separate untrusted data from the agent's logic.\n
- Capability inventory: The skill is explicitly granted the
Bashtool, which can be used to execute the generated R code or shell commands, creating a direct path for code injection from data.\n - Sanitization: There is no evidence of sanitization, escaping, or validation of external content to prevent embedded instructions from being obeyed by the agent.\n- COMMAND_EXECUTION (MEDIUM): The skill provides patterns for environment-modifying shell commands through the
renvpackage manager (e.g.,renv::init,renv::snapshot) and the general use of theBashtool.\n- EXTERNAL_DOWNLOADS (LOW): The skill includes documentation forrenv::install, which involves downloading and executing code from external repositories. Per the [TRUST-SCOPE-RULE], this is marked as LOW severity as it pertains to standard R package registries.
Recommendations
- AI detected serious security threats
Audit Metadata