moon
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The documentation in
examples/ci-workflow.ymlincludes a pattern for downloading and immediately executing a shell script from the internet usingcurl -fsSL https://moonrepo.dev/install/proto.sh | bash. This is a classic remote code execution vector. - [EXTERNAL_DOWNLOADS] (HIGH): The skill documentation in
references/workspace-config.mddescribes a feature for loading remote WASM extensions from arbitrary URLs, such asplugin: "https://example.com/migrate-nx.wasm". Executing unverified remote binaries is a high-risk activity. - [COMMAND_EXECUTION] (MEDIUM): The skill is designed to manage and execute shell commands via the
moonbinary. As documented inreferences/v2-migration.md, thescriptfield inmoon.ymlexplicitly enables shell features like pipes, redirects, and environment expansion, allowing for arbitrary command execution on the host system. - [PROMPT_INJECTION] (LOW): There is a potential for Indirect Prompt Injection because the skill generates configuration files (
moon.yml) containing shell scripts based on user requests. - Ingestion points:
SKILL.mdidentifies triggers like "create moon tasks" or "add moon project" which process user-provided task descriptions. - Boundary markers: None are present in the provided templates or instructions to prevent the agent from obeying instructions embedded in user input when generating task scripts.
- Capability inventory: The skill enables full shell execution via the
scriptfield inmoon.yml(referenced inreferences/v2-migration.md) and task execution viamoon run(referenced inreferences/cli-reference.md). - Sanitization: No evidence of sanitization or escaping of user input before interpolation into command or script fields.
Recommendations
- AI detected serious security threats
Audit Metadata