polar
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill prompts the installation of
@miketromba/polar-clivia npm. Neither the package nor the author is within the trusted scope, posing a risk of supply chain attack or malicious code execution at runtime. - [COMMAND_EXECUTION] (MEDIUM): The skill is designed to execute shell commands that interact with SaaS billing and resource management. This includes destructive operations (e.g.,
polar customers delete --yes) which, while functional, increase the impact of any successful injection attack. - [CREDENTIALS_UNSAFE] (LOW): The documentation guides the user to provide a
POLAR_ACCESS_TOKEN. While it correctly recommends environment variables, the agent's involvement in handling these high-privilege credentials requires careful monitoring. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It instructs the agent to fetch documentation from
https://polar.sh/docs/llms.txtand use it to "understand how a feature works" or "verify API behavior." This remote content is untrusted data that enters the agent's context. - Ingestion points: Remote text index and linked documentation pages at polar.sh.
- Boundary markers: Absent. The agent is not instructed to disregard embedded commands or instructions within the documentation.
- Capability inventory: The agent can create/delete customers, manage billing, and issue license keys via the
polarCLI. - Sanitization: Absent. The skill lacks any validation or filtering of the fetched documentation before the agent interprets it for decision-making.
Recommendations
- AI detected serious security threats
Audit Metadata