Skills
skills/nebutra/next-unicorn-skill/analyze-and-recommend-third-party-optimizations/Gen Agent Trust Hub

analyze-and-recommend-third-party-optimizations

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted external data (the user's codebase in src/).
  • Ingestion points: The scanner and structural analyzer read all files within the target project path.
  • Boundary markers: No explicit boundary markers or 'ignore embedded instructions' warnings are present in the prompts or templates (e.g., templates/migration-plan.md, templates/prd-template.md).
  • Capability inventory: The skill possesses high-privilege capabilities including creating Pull Requests (src/pr-creator/pr-executor.ts), modifying files via migration plans, and executing shell commands (references/code-organization-workflow.md).
  • Sanitization: There is no evidence of sanitization or escaping of code content before it is interpolated into the AI's reasoning context. A malicious comment in the scanned code could influence the agent to recommend dangerous library replacements or generate malicious PR descriptions.
  • Remote Code Execution (HIGH): The skill relies on runtime execution of external packages via npx that are not from trusted sources.
  • Evidence: .mcp.json executes npx -y @context7/mcp-server. references/code-organization-workflow.md instructs the agent to run npx madge. Neither @context7 nor madge are within the [TRUST-SCOPE-RULE] for trusted organizations or repositories.
  • Command Execution (MEDIUM): The workflow instructions in references/code-organization-workflow.md direct the agent to execute complex shell commands directly on the host system (e.g., find src -type d -exec sh -c ...). While these are intended for fact-gathering, they increase the attack surface if directory names or file contents contain shell-active characters.
  • Unsafe Credential Handling (INFO): While SECURITY.md claims no secrets are in code, the skill interacts with Git platforms (GitHub, GitLab, Bitbucket). The PlatformClient and GitOperations interfaces assume credentials will be provided at runtime. While no hardcoded keys were found, the ability to push code to remote branches (src/pr-creator/git-operations.ts) provides a mechanism for potential data exfiltration of local environment variables or secrets if the AI is compromised via injection.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:37 PM