loom-react
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to Category 8 (Indirect Prompt Injection) because it processes user-provided feature requirements to generate or modify code without any security boundaries. * Ingestion points: User descriptions in natural language used to define components and pages. * Boundary markers: Absent; the skill does not use delimiters to wrap untrusted content. * Capability inventory: Allowed tools include
Bash(git:*)andBash(jq:*), which grant the ability to modify the repository and network-connected git remotes. * Sanitization: Absent; there is no logic to filter or validate user input. - [Privilege Escalation] (MEDIUM): The
allowed-toolsmetadata grants broad access to git and jq. While these are development tools, they provide sufficient privilege for an attacker to modify the local environment or project state persistently. - [Data Exposure & Exfiltration] (LOW): While no direct exfiltration code is present, the capability to use git allows for pushing the entire codebase or secrets to an external remote if the agent is tricked via prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata