jeecg-onlchart
Warn
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill generates and executes Python scripts locally to manage complex API interactions and performs direct local database modifications using the mysql CLI when the target environment is identified as localhost.
- [CREDENTIALS_UNSAFE]: The supporting Python scripts (onlchart_api.py and yapi_mock.py) disable SSL certificate verification by setting 'ssl.CERT_NONE' and 'check_hostname = False'. This exposes the 'X-Access-Token' (JWT) and sensitive SQL queries to potential theft through Man-in-the-Middle (MITM) attacks.
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface because it ingests and processes untrusted data (user requirements and SQL queries) to create system configurations. While the skill instructs the agent to show a summary for user confirmation, the capability to modify system permissions provides a significant impact vector if the agent is misled.
- [SAFE]: The skill interacts with the vendor's official domains (jeecg.com) and specific well-known service endpoints to perform its advertised functions.
Audit Metadata