assistant-ui
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill instructs the agent to execute commands like 'npx assistant-ui@latest create', 'upgrade', and 'codemod'. This executes code directly from the npm registry without version pinning or origin verification from a non-trusted organization. Evidence: references/setup-and-cli.md.
- PROMPT_INJECTION (HIGH): Category 8 finding. 1. Ingestion points: Untrusted user input and tool results are processed via the 'stream' and 'load' functions in references/langgraph-runtime.md. 2. Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present. 3. Capability inventory: The skill integrates tool execution ('execute' property in references/tool-ui-patterns.md) and CLI operations, creating a high-privilege context for data. 4. Sanitization: No sanitization of message content or tool outputs is documented. This combination creates a high risk of indirect prompt injection.
- COMMAND_EXECUTION (HIGH): The skill includes instructions to run 'npx assistant-ui@latest mcp --cursor' or '--claude-code', which attempts to modify the local development environment or IDE configurations without a prior security review of the third-party binary. Evidence: references/setup-and-cli.md.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the installation of multiple packages from the '@assistant-ui/*' scope. Since 'assistant-ui' is not in the trusted organization list defined by the [TRUST-SCOPE-RULE], these downloads are treated as unverifiable dependencies. Evidence: references/langgraph-runtime.md.
Recommendations
- AI detected serious security threats
Audit Metadata