dev-server
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill is designed to automatically detect and execute scripts defined in project files such as
package.jsonordocker-compose.yml. This creates a direct path for executing arbitrary code if the project directory contains malicious configurations. - Evidence:
SKILL.mdWorkflow step 4 and 'Environment Detection' section describe executing detected package managers anddocker composecommands based on local file presence. - [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8). It relies on untrusted external data (the project's files) to make decisions about command execution.
- Ingestion points:
package.json,docker-compose.yml, lockfiles, and process metadata retrieved vialsofandps(referenced inscripts/check_ports.sh). - Boundary markers: None. There are no delimiters or instructions to ignore embedded commands within the processed project files.
- Capability inventory: Process termination (
kill -9), arbitrary shell execution via package managers, and directory navigation. - Sanitization: None. The skill does not validate the integrity or safety of the scripts it discovers before suggesting or performing execution.
- [COMMAND_EXECUTION] (MEDIUM): The provided
scripts/check_ports.shscript gives the agent the ability to terminate running processes usingkill -9. - Evidence: The
kill_portfunction inscripts/check_ports.shexecutes hard kills on PIDs identified vialsof. While a 'same project' check is implemented, this logic relies oncwdwhich can be manipulated or misinterpreted.
Recommendations
- AI detected serious security threats
Audit Metadata