dart-sass
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): In
examples/getting-started/installation.md, the skill instructs users to download standalone binaries from GitHub releases (sass/dart-sass). While this is the official Sass repository, it is not on the trusted organizations list provided in the security schema, making it an untrusted external download. - [COMMAND_EXECUTION] (MEDIUM): The
installation.mdfile suggests usingsudo npm install -g sassfor global installation. This involves privilege escalation which can be exploited if the package or registry is compromised. - [COMMAND_EXECUTION] (LOW): The skill includes shell script examples in
examples/getting-started/compiling-modes.mdthat userm -rf dist/css/*. Although intended for build cleanup, such destructive commands are noted as a potential risk if misconfigured. - [COMMAND_EXECUTION] (LOW): Documentation provides numerous examples of executing CLI commands and scripts (Bash, JavaScript, Dart) that interact with the local file system and execute the Sass compiler.
- [PROMPT_INJECTION] (LOW): The skill defines a surface for processing untrusted data (Sass/SCSS source code) through ingestion points in scripts and APIs without explicit boundary markers to prevent indirect prompt injection if the agent interprets the content of processed files.
Audit Metadata