asset-manager
Fail
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Vulnerable command execution in
references/font-management.md. Filenames retrieved viafs.readdirare interpolated directly into shell command strings without sanitization or escaping. - Evidence:
await execAsync(woff2_compress ${input});in theconvertToWOFF2function. - Evidence:
await execAsync(sfnt2woff ${input});in theconvertToWOFFfunction. - Impact: An attacker can place a file with a name like
; touch RCE ;.ttfin the input directory to trigger arbitrary command execution when the optimization script runs. - [REMOTE_CODE_EXECUTION] (MEDIUM): The skill provides scripts intended for execution via
tsx(as seen inreferences/best-practices.md) that contain the aforementioned command injection vulnerabilities. While the execution is local, the pattern of usingchild_process.execwith untrusted input is a high-risk security anti-pattern. - [EXTERNAL_DOWNLOADS] (LOW): The skill recommends installing various system binaries and npm packages from external sources.
- Evidence:
brew install woff2,sfnt2woff, andnpm install sharp svgomentioned in documentation. - [PROMPT_INJECTION] (LOW): Indirect prompt injection surface area exists as the skill processes filenames and directory structures which could be controlled by an attacker to influence the agent's perception of the project state.
- Ingestion points:
fs.readdirinreferences/organization.mdandreferences/font-management.md. - Boundary markers: None identified in the provided scripts.
- Capability inventory:
child_process.exec,fs.rename,fs.writeFile. - Sanitization: No sanitization of filenames before they are passed to sensitive operations.
Recommendations
- AI detected serious security threats
Audit Metadata