moai-platform-firestore
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill explicitly allows the 'Bash' tool in its allowed-tools list. This provides the agent with the ability to execute arbitrary system-level commands. While no malicious code is hardcoded in the skill, the presence of this tool significantly increases the potential impact of an injection attack.
- [PROMPT_INJECTION] (HIGH): The skill creates a significant surface for Indirect Prompt Injection. 1. Ingestion points: The skill instructs the agent to fetch documentation from external IDs using 'mcp__context7__get-library-docs' in the Implementation Guide. 2. Boundary markers: Absent. There are no instructions provided to the agent to treat this fetched external data as potentially untrusted or to ignore embedded instructions. 3. Capability inventory: The agent is equipped with 'Bash', 'Write', and 'Read' tools. 4. Sanitization: Absent. The skill provides no mechanism to validate or sanitize documentation content before the agent processes it. An attacker controlling a library could insert malicious instructions that leverage the available privileged tools.
Recommendations
- AI detected serious security threats
Audit Metadata