heartreverie-create-plugin
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to run
deno test --allow-read --allow-write --allow-env --allow-netin Step 9 ofSKILL.md. This command grants the test environment broad access to the host's filesystem, environment variables, and network, which poses a risk if testing untrusted code. - [REMOTE_CODE_EXECUTION]: In
references/hook-api.md, the documentation explicitly lists "running external tools" and "run external binary" as supported use cases for backend hooks. This capability allows any plugin created using these guides to execute arbitrary code on the host system. - [DATA_EXFILTRATION]: The plugin architecture provides access to sensitive directory paths such as
storyDirandrootDirwhile also documenting network-capable hooks, creating a potential path for data exfiltration from the project environment. - [PROMPT_INJECTION]: The skill describes an architecture for indirect prompt injection where unvalidated Markdown files are interpolated into the system prompt via Vento templates.
- Ingestion points: Files declared in the
promptFragmentsarray (e.g.,instructions.md) are read and injected into the agent's context. - Boundary markers: The system does not specify the use of delimiters or instructions to prevent the agent from obeying instructions embedded within the fragments.
- Capability inventory: The system architecture supports subprocess execution, file system access, and network operations across its hook stages.
- Sanitization: No sanitization or validation process is mentioned for the content of injected prompt fragments.
Audit Metadata