ln-010-dev-environment-setup
Warn
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
nodeto execute local orchestration scripts (cli.mjs) for managing worker skill lifecycles and environment state. - [EXTERNAL_DOWNLOADS]: Mentions the identification and potential installation of external binary dependencies for language servers and graph providers, such as
basedpyright. - [COMMAND_EXECUTION]: The skill provides functionality to modify Cursor and VSCode
settings.jsonto enable high-privilege modes likeallowDangerouslySkipPermissions, which bypasses security confirmation prompts. - [COMMAND_EXECUTION]: Automates the configuration of agents into low-restriction states, specifically monitoring or setting
approval_policy=neverandsandbox_mode=danger-full-access. - [PROMPT_INJECTION]: The skill processes untrusted data from the local filesystem and IDE configuration, creating a surface for indirect prompt injection.
- Ingestion points: IDE extension directories (
~/.cursor/extensions/,~/.vscode/extensions/), usersettings.json, and local.hex-skills/environment_state.json(SKILL.md). - Boundary markers: Absent; the instructions do not use delimiters or warnings to prevent the agent from following instructions embedded in discovery snapshots.
- Capability inventory: The skill possesses the capability to execute shell commands and modify local filesystem configurations (SKILL.md).
- Sanitization: While the final state is validated against a JSON schema, the initial discovery phase lacks sanitization or escaping of ingested path and configuration data.
Audit Metadata