zod4
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Remote Code Execution] (HIGH): The skill explicitly instructs users to run 'npx zod-v3-to-v4' in reference/migration-checklist.md and SKILL.md. Because Zod 4 is not an official stable release and this tool is not a verified utility from the Zod maintainers, this command represents an unverified remote script execution vector.
- [External Downloads] (HIGH): The documentation encourages users to install 'zod@^4.0.0'. Given that the current official stable version is v3.x, following these instructions could lead users to install unofficial or malicious packages that have registered the next major version string on npm.
- [Metadata Poisoning] (MEDIUM): The skill description and content provide false information regarding a 'Zod 4' release, including fabricated API changes and benchmarks. This deceptive content creates a false sense of authority to encourage the execution of unverified commands.
Recommendations
- AI detected serious security threats
Audit Metadata