Skills
skills/medusajs/medusa-claude-plugins/db-generate/Gen Agent Trust Hub

db-generate

Pass

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute npx medusa db:generate <module-name>. Directly interpolating user-provided arguments into shell commands can lead to arbitrary code execution if the inputs are not properly sanitized.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect command injection through the <module-name> argument, allowing a user to potentially execute unintended commands.
  • Ingestion points: The <module-name> argument provided by the user in the SKILL.md file.
  • Boundary markers: None. The user input is concatenated directly into the shell command string without delimiters or warnings to the agent.
  • Capability inventory: The skill possesses the capability to execute shell commands via the Bash tool, restricted to patterns matching npx medusa db:generate:*.
  • Sanitization: There is no evidence of input validation, character escaping, or sanitization for the <module-name> argument.
  • [EXTERNAL_DOWNLOADS]: The skill utilizes npx to execute the medusa command-line tool, which may trigger the download of the package from the npm registry. The medusa package is an official resource associated with the author, medusajs.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 4, 2026, 04:20 AM