firebase-development
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): Hardcoded sensitive file paths. The skill explicitly references absolute local paths:
/Users/dylanr/work/2389/oneonone,/Users/dylanr/work/2389/bot-socialmedia-server, and/Users/dylanr/work/2389/meme-rodeo. This leaks the internal directory structure and the username of the developer machine. - [Indirect Prompt Injection] (HIGH): Vulnerable ingestion surface combined with high-privilege capabilities.
- Ingestion points: The skill is designed to 'review Firebase code', 'audit firebase', and 'analyze requests' containing code patterns.
- Boundary markers: No delimiters or instructions to ignore embedded commands are present in the orchestrator logic.
- Capability inventory: The skill routes to sub-skills that perform 'Project Setup' (file writes), 'Add Feature' (writing functions/collections), and 'Debug' (execution of Firebase CLI).
- Sanitization: There is no evidence of sanitization or validation of the code being reviewed before it influences agent decisions.
- Risk: An attacker-controlled codebase could contain instructions within comments or metadata that trick the agent into creating malicious Cloud Functions or exfiltrating data during the 'validate' or 'debug' phases.
- [Command Execution] (MEDIUM): Execution of Firebase CLI and build tools. The skill explicitly instructs the agent to run
firebase emulators:startand referencesvitestandbiome. While consistent with the skill's purpose, these represent a side-effect surface that can be exploited if the agent is influenced by malicious code input.
Recommendations
- AI detected serious security threats
Audit Metadata