mapcn-docs
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- Command Execution (LOW): The script
scripts/create-doc-page.shuses an unquoted heredoc (<< EOF) to generate Next.js page files. In shell scripting, an unquoted heredoc allows for the evaluation of variables and command substitutions (e.g.,$(...)or`...`) within the body. - Ingestion points: Positional arguments
$1(PAGE_NAME),$2(PAGE_TITLE), and$3(PAGE_DESC) are used directly within the heredoc. - Evidence: Line 27 and 52 in
scripts/create-doc-page.shinterpolate variables into the file content. - Risk: If a user or an automated process provides a malicious string containing command substitutions as a title or description, the shell will execute those commands in the context of the user running the script.
- Indirect Prompt Injection (LOW): The skill lacks sanitization for user-provided strings that are eventually written into source code files (
.tsx). - Boundary markers: None present in the script to distinguish between template code and user data.
- Capability inventory: The script performs file system writes (
mkdir,cat). - Risk: Maliciously crafted inputs could break the resulting React code or introduce cross-site scripting (XSS) if the generated pages are rendered without further processing.
Audit Metadata