repo-librarian
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. It is designed to read and categorize all markdown files and source code to identify 'dead' or 'obsolete' artifacts for deletion. An attacker could place malicious instructions inside a repository file to trick the agent into deleting critical code or performing unauthorized modifications. Evidence: Workflow step 'Read & Categorize' and 'Cleanup Actions' include 'Delete if not' logic. There are no boundary markers or sanitization processes to prevent the agent from obeying instructions found within the analyzed files.
- REMOTE_CODE_EXECUTION (HIGH): The skill uses
npx depcheckin its 'Quick Commands'.npxdownloads and executes code from the npm registry at runtime. Without version pinning or a lockfile, this allows for the execution of unverified remote code, which could be exploited via package hijacking or typosquatting. - EXTERNAL_DOWNLOADS (MEDIUM): The use of
npxinvolves downloading external packages from the npm registry. While npm is a standard source, the lack of integrity checks or versioning for thedepchecktool poses a security risk. - COMMAND_EXECUTION (MEDIUM): The skill executes several shell commands, including
find,grep, andnpx. While these are functional requirements, their power to delete files based on processed untrusted input (the repo files) creates a dangerous capability chain.
Recommendations
- AI detected serious security threats
Audit Metadata