code-lint-fix
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script
detect-and-fix.shexecutes a range of command-line tools based on the project's structure. It uses theevalcommand to run these tools from predefined strings, which is a sensitive execution pattern. - [EXTERNAL_DOWNLOADS]: The skill uses
npxto execute Node.js tools such as@biomejs/biome,eslint, andprettier. This can result in downloading packages from the npm registry if they are not already installed locally. - [REMOTE_CODE_EXECUTION]: By using
npxandeval, the skill has a surface for executing code that originates from external registries or is triggered by project-specific configuration files. - [COMMAND_EXECUTION]: The skill possesses an indirect prompt injection surface as it processes untrusted project code and configuration files using powerful command-line utilities.
- Ingestion points: Reads project configuration files (e.g., biome.json, .eslintrc, Cargo.toml) and source code files in the detect-and-fix.sh script.
- Boundary markers: None present.
- Capability inventory: Execution of arbitrary developer tools including npx, cargo, and go via the eval command in a bash script.
- Sanitization: No explicit sanitization or validation of project files or tool outputs before execution or reporting.
Audit Metadata