workspace-setup
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's core logic involves executing shell commands parsed from a text file. This includes commands for dependency installation (npm install), file manipulation (cp), and database migrations.
- [REMOTE_CODE_EXECUTION]: The skill uses content from WORKSPACE.md as input for shell execution. This is a vector for arbitrary code execution if the file is sourced from an untrusted remote repository or modified by a malicious actor.
- [PROMPT_INJECTION]: An indirect prompt injection surface is present because the skill ingests instructions from an external data source (WORKSPACE.md).
- Ingestion points: WORKSPACE.md file (Step 2).
- Boundary markers: None; the skill reads and executes raw strings from the markdown file without delimiters or safety warnings.
- Capability inventory: Shell access is used to run the parsed strings as commands in the project directory.
- Sanitization: No validation, escaping, or filtering is performed on the extracted strings before they are passed to the shell.
Audit Metadata