code-formatter-installer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary workflow involves reading untrusted project files to detect the tech stack, which serves as an ingestion point for indirect instructions.
- Ingestion points: Project metadata files such as package.json, pyproject.toml, and requirements.txt.
- Boundary markers: No delimiters or instructions to ignore embedded commands are used when processing project data.
- Capability inventory: File system write access (generating various config files) and command execution (npm/pip installation).
- Sanitization: No sanitization of user-provided project data is performed before it influences agent actions.
- Command Execution (HIGH): The skill provides instructions for the agent to run high-privilege system commands, including
npm install,pip install, andnpx husky init. These commands can be subverted if the environment or project configuration is malicious. - External Downloads (MEDIUM): The skill references and installs multiple third-party packages and pre-commit hooks from GitHub (psf/black, pycqa/isort, etc.). These sources, while common, are not listed in the pre-approved Trusted External Sources.
- Dynamic Execution (MEDIUM): The skill generates shell scripts (e.g., .husky/pre-commit) at runtime. While standard for the toolset, runtime script generation based on untrusted project detection carries inherent risks.
Recommendations
- AI detected serious security threats
Audit Metadata