minecraft-resource-pack
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes a bash validation script
scripts/validate-resource-pack.shintended to be run locally by the user to check resource pack integrity using standard utilities like find and jq. - [PROMPT_INJECTION]: The validation script
scripts/validate-resource-pack.shprocesses untrusted input from resource pack JSON files, which constitutes a potential indirect injection surface. - Ingestion points: The script reads configuration from
pack.mcmetaand all JSON files within theassets/directory usingjq. - Boundary markers: No specific boundary markers or 'ignore' instructions are present to prevent the processing of malicious path sequences in JSON values.
- Capability inventory: The script performs file existence checks (
[[ -f ... ]]) and echoes results to the terminal. It does not perform network operations or write to files. - Sanitization: Absent. The script constructs file paths using values extracted from JSON (such as namespaces and texture paths) without validating for path traversal sequences like
../. This could allow a crafted resource pack to verify the existence of files on the local filesystem outside of the resource pack directory.
Audit Metadata