lemonsqueezy
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill documentation instructs the user to install an external package 'lmsq' from the npm registry using 'npm install -g lmsq' without specifying a version or providing integrity verification. Evidence: SKILL.md installation section.
- [COMMAND_EXECUTION] (HIGH): The CLI provides broad capabilities to perform irreversible actions on a store, such as issuing refunds ('lmsq orders refund'), cancelling subscriptions ('lmsq subscriptions cancel'), and deleting webhooks or discounts ('lmsq webhooks delete'). These operations could be abused if the agent is compromised or misled. Evidence: references/COMMANDS.md.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection. 1. Ingestion points: The agent retrieves and processes external, attacker-controllable data from the Lemon Squeezy API (e.g., customer names, order notes, product descriptions) via 'list' and 'get' commands. 2. Boundary markers: None. There are no instructions to the agent to treat API data as untrusted or to ignore instructions embedded within it. 3. Capability inventory: The agent has the ability to execute 'write' and 'delete' operations on the same platform. 4. Sanitization: None. Data from the API is directly interpolated into the agent's context. Evidence: SKILL.md and COMMANDS.md show data retrieval paired with administrative capabilities.
- [CREDENTIALS_UNSAFE] (LOW): While the documentation uses placeholders, it describes storing API keys in '~/.config/lemonsqueezy-cli/config.json'. If an agent gains general file system access, this sensitive file could be exposed. Evidence: SKILL.md Authentication section.
Recommendations
- AI detected serious security threats
Audit Metadata