slides-generator
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill automatically executes shell commands including
npm installandnpm run devin Step 5. While these are standard for frontend development, executing them on a project skeleton that has been modified with LLM-generated code (JSX slides) creates a risk of running malicious scripts if the generation is compromised. - [REMOTE_CODE_EXECUTION] (MEDIUM): Step 6 includes instructions to install an external tool via
npx chrome-devtools-mcp@latest. This downloads and executes code from the npm registry at runtime. Since the source is not within the defined trusted organizations, this represents an unverifiable remote code execution risk. - [DYNAMIC_EXECUTION] (MEDIUM): The core functionality involves generating React components (
.jsx) and importing them into a main application. This 'Script generation + execution' pattern allows the LLM to write code that is then executed in the user's browser/environment. A malicious user or an indirect injection could cause the agent to generate code for data exfiltration or session hijacking. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). Evidence chain:
- Ingestion points: User-provided 'Key Points' and 'Title' in Step 1/Step 4.
- Boundary markers: Absent. User content is interpolated directly into the subagent prompt using
${keyPoints}. - Capability inventory: File writing (JSX), shell execution (
npm), and environment modification (mcp add). - Sanitization: No escaping or validation is performed on the user-provided content before it is passed to the subagent.
Audit Metadata