warden-dev
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides the agent with the ability to execute a wide range of shell commands via the
wardenCLI wrapper. This includes starting/stopping containers (warden env up), interacting with databases (warden db import), and opening interactive shell sessions (warden shell,warden debug). These capabilities are essential for the skill's primary purpose of managing local development environments. - [PRIVILEGE_ESCALATION]: The
references/troubleshooting.mdfile instructs the agent on how to resolve common DNS issues, which includes usingsudoto stop services (e.g.,sudo brew services stop dnsmasq) or modify system configuration files. While using elevated privileges is generally a high-risk activity, it is a standard requirement for managing local network services like DNSMasq on macOS and Linux. - [PROMPT_INJECTION]: The skill includes an indirect prompt injection surface in Category 8.
- Ingestion points: The skill reads project configuration from
.envfiles anddocker-compose.ymlpreviews (e.g., inSKILL.mdandexamples/workflows.md). - Boundary markers: None identified for delimiting configuration data from agent instructions.
- Capability inventory: Extensive command execution capabilities via
warden, includingwarden shellandwarden env execacross multiple files. - Sanitization: No specific sanitization or validation of the
.envcontent is described before the agent processes it or outputs it in tables. - [REMOTE_CODE_EXECUTION]: The
scripts/calculate-version.jsfile utilizeschild_process.execSyncto rungitcommands. This script is intended for use by maintainers during the release process rather than by the agent at runtime, and its logic is confined to version calculation based on commit history.
Audit Metadata