moai-lang-r
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill permits the use of the "Bash" tool in its "allowed-tools" list. This grants the agent the ability to run arbitrary shell commands on the host environment, which poses a severe security risk if the agent's logic is subverted.
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to indirect prompt injection (Category 8) because it is designed to ingest and act upon data from external, potentially attacker-controlled files (.R, .Rmd, renv.lock) while possessing high-privilege execute capabilities (Bash). * Ingestion points: File content matching triggers (.R, .Rmd, .qmd, DESCRIPTION, renv.lock). * Boundary markers: Absent; no instructions are provided to delimit external content or ignore embedded commands. * Capability inventory: Bash, Read, Grep, Glob. * Sanitization: Absent; no evidence of validation or filtering for processed file content.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The implementation guide references "renv::init", "renv::install", and "pak". These functions are used to download and install R packages from remote repositories like CRAN or GitHub. While common in development, executing unverified third-party code at runtime presents a supply chain risk.
Recommendations
- AI detected serious security threats
Audit Metadata