pnpm
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect prompt injection surface through untrusted package names and configurations.
- Ingestion points: Arguments to
pnpm add,pnpm dlx, andpnpm installas documented inreferences/core-cli.md. - Boundary markers: Absent. There are no instructions for the agent to validate or delimit package names originating from external content.
- Capability inventory: High-privilege capabilities including arbitrary command execution (
pnpm run,pnpm exec), filesystem modification, and network downloads. - Sanitization: Absent. No validation logic is provided to check package identity or integrity.
- [REMOTE_CODE_EXECUTION] (HIGH): Runtime download and execution of untrusted third-party code.
- Evidence: Commands like
pnpm dlxinreferences/core-cli.mdandpnpm installinreferences/best-practices-ci.mddownload packages from the public npm registry and execute them immediately or via lifecycle scripts (postinstall). - Risk: Malicious packages in the public registry (e.g., via typosquatting) can execute arbitrary code on the agent's host.
- [COMMAND_EXECUTION] (MEDIUM): Arbitrary script and binary execution.
- Evidence:
pnpm run,pnpm exec, and recursive execution commands inreferences/core-cli.md. - Risk: These tools provide the agent with the ability to run any binary in the local path or any script defined in a
package.json, which could be abused if an attacker can influence the project structure. - [EXTERNAL_DOWNLOADS] (MEDIUM): Unverifiable package installation.
- Evidence:
pnpm installandpnpm importcommands throughout the skill documentation. - Risk: The skill encourages installing dependencies without explicitly mandating integrity checks beyond the lockfile, which may not be present in all scenarios.
Recommendations
- AI detected serious security threats
Audit Metadata