medusa
Audited by Gen Agent Trust Hub on Feb 12, 2026
The SKILL.md file provides detailed instructions and code snippets for setting up a Medusa e-commerce backend. The description_xx.txt files are benign translations of the skill's description.
1. Prompt Injection: No patterns indicative of prompt injection (e.g., 'IMPORTANT: Ignore', 'jailbreak') were found in any of the files.
2. Data Exfiltration: The skill mentions sensitive environment variables like JWT_SECRET and COOKIE_SECRET but instructs the user to configure them securely, even providing an example of generateValue: true for deployment. Network operations shown (e.g., curl, fetch) are either for localhost API calls or for interacting with legitimate deployment platforms (railway) or package registries (npm). There is no evidence of sensitive file access combined with exfiltration to untrusted external domains.
3. Obfuscation: No obfuscation techniques such as Base64 encoding, zero-width characters, homoglyphs, or complex URL/hex/HTML encoding were detected in the skill's content.
4. Unverifiable Dependencies (LOW): The skill instructs the user to install and execute several external packages and CLIs, including npx create-medusa-app@latest, npm install @railway/cli, and npm install @medusajs/payment-stripe. While these are legitimate and commonly used tools within the Medusa ecosystem and for deployment, they are external dependencies whose code is not directly verifiable during this analysis. The medusajs organization is not explicitly listed in the trusted GitHub organizations, but it is a well-known open-source project. Given their standard use for the skill's purpose, this is flagged as a LOW severity finding.
5. Privilege Escalation: No sudo or doas commands are used. There are no instructions for modifying system-wide permissions (chmod 777), installing services, or altering critical system files.
6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, crontab, authorized_keys) were found.
7. Metadata Poisoning: The metadata fields (name, description) and the content of the description_xx.txt files are benign and do not contain any malicious instructions.
8. Indirect Prompt Injection (INFO): The skill describes building an e-commerce platform that will handle user-generated content (e.g., product reviews, customer details). If this data is subsequently fed into an LLM without proper sanitization, it could be susceptible to indirect prompt injection. This is a general risk associated with the application built using the skill, rather than a direct vulnerability within the skill's instructions.
9. Time-Delayed / Conditional Attacks: No conditional logic based on dates, usage counts, or specific environment triggers that would activate malicious behavior was detected.