moai-platform-firestore
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill utilizes
mcp__context7__get-library-docsto ingest external content. Because the skill also possessesWriteandBashcapabilities, it is vulnerable to instructions embedded in third-party documentation that could hijack agent behavior. - Ingestion points:
mcp__context7__get-library-docs(SKILL.md) - Boundary markers: Absent. No instructions are provided to the agent to treat documentation as untrusted data.
- Capability inventory:
Write,Bash(firebase:*),Bash(npm:*),Bash(npx:*)(SKILL.md) - Sanitization: Absent. The skill lacks validation for retrieved documentation content.
- Command Execution (MEDIUM): The skill is granted
Bash(npm:*)andBash(npx:*)permissions. This allows the agent to install and execute arbitrary packages. While intended for Firebase tooling, this provides a significant execution surface that could be abused if the agent is misled by injected instructions. - External Downloads (LOW): The skill references the
firebasepackage and documentation libraries. Per [TRUST-SCOPE-RULE], these are considered trusted sources (Google/Firebase), which downgrades the download finding itself to LOW, although the behavior of the code using these dependencies remains subject to analysis.
Recommendations
- AI detected serious security threats
Audit Metadata