monorepo-ci-optimizer
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The TypeScript script 'scripts/get-affected.ts' uses 'child_process.execSync' with string interpolation for the 'base' variable: 'execSync(
git diff --name-only ${base}...HEAD, ...)'. This pattern is vulnerable to command injection if the 'base' parameter or the local git environment is influenced by untrusted external data (e.g., via a malicious PR branch name). \n- [EXTERNAL_DOWNLOADS] (LOW): The provided GitHub Action templates reference external actions from the 'actions' and 'nrwl' organizations and execute tools via 'npx' (e.g., 'turbo', 'nx', 'nx-cloud'). These organizations are not included in the predefined trusted list, necessitating manual verification of the external code being executed.
Audit Metadata