astro-developer
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The
scripts/create-component.jsscript provides a significant attack surface for indirect prompt injection. If an agent uses this skill to process data from an untrusted source (e.g., a user request or external content) and maps it directly to the script arguments, it could be exploited. - Ingestion points: Command-line arguments
name,type, anddirinscripts/create-component.js. - Boundary markers: None present in the script or instructions.
- Capability inventory: File system write access (
fs.writeFileSync) and directory creation (fs.mkdirSync). - Sanitization: Missing. The script uses
path.joinwith raw input, which is susceptible to path traversal attacks (e.g., using../in the name or directory fields). - [Command Execution] (MEDIUM): The script
scripts/create-component.jsperforms local file system modifications. While this is its intended functionality, the ability to write arbitrary code (Astro, React, Vue, Svelte) and update index files represents a capability that can be abused to contaminate a project or overwrite sensitive configuration files if the inputs are not strictly validated. - [External Downloads] (LOW): The
references/testing-guide.mddocumentation suggests installing several third-party packages (e.g.,vitest,playwright,jsdom). Per [TRUST-SCOPE-RULE], these are considered trusted sources as they belong to established ecosystems (npm/Astro), but they still represent external dependencies that a user would need to verify manually.
Audit Metadata