javascript-sdk
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Documentation examples in
references/tool-builder.mdandreferences/agent-patterns.mddemonstrate the use ofeval()to process input from agent tool arguments (e.g., in a calculator tool example). This pattern is highly insecure and provides a direct path for arbitrary code execution if an agent is manipulated via prompt injection. - [DYNAMIC_EXECUTION]: The SDK provides a built-in
codeExecution(true)capability for agents. This allows the AI to generate and run arbitrary code at runtime, which poses a severe risk if the agent processes untrusted data or is influenced by malicious prompts. - [DATA_EXFILTRATION]: The skill documents the use of
webhookToolanduploadFile, which can be configured to send local data to external or vendor-controlled endpoints. When combined with file system access (e.g.,fs.readFileSync), these functionalities could be abused to harvest and exfiltrate sensitive user data. - [PROMPT_INJECTION]: The skill has a broad attack surface for indirect prompt injection.
- Ingestion points: Untrusted data enters the agent context through file uploads (
uploadFile), local file reads (readFileSync), and external sources like web searches (webSearch). - Boundary markers: Documentation examples do not demonstrate the use of delimiters or 'ignore' instructions when interpolating external data into prompts.
- Capability inventory: The skill allows high-privilege operations including shell command execution via Bash tools, runtime code execution, file system writes (
writeFileSync), and network requests. - Sanitization: There is no evidence of input validation or content filtering to prevent malicious instructions embedded in ingested data from hijacking the agent's high-privilege capabilities.
Audit Metadata