Skills
skills/portel-dev/skills/photon/Gen Agent Trust Hub

photon

Warn

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The framework uses JSDoc tags to trigger the download and installation of external resources.
  • The @dependencies tag in references/docblock-tags.md and SKILL.md allows for the automatic installation of NPM packages (e.g., axios, cheerio, lodash).
  • The @cli tag enables the specification of system tool dependencies that can be downloaded from arbitrary URLs (e.g., `git
  • https://git-scm.com/downloads`).
  • The @mcp and @photon tags allow the framework to fetch and load external MCP servers and photons dynamically from registries or repositories.
  • [REMOTE_CODE_EXECUTION]: The skill facilitates the creation and execution of code that can be updated or extended at runtime.
  • Photons are executed directly using tsx via the photon runtime, which means any code generated by an agent using this skill can be immediately run on the host system.
  • The this.schedule.create API and @cron tags allow for persistent execution of code on a schedule, providing a mechanism for long-term persistence of potentially malicious scripts.
  • The bridge in references/mcp-apps.md injects communication APIs into sandboxed iframes, which, while sandboxed, still allow for allow-same-origin and allow-scripts permissions.
  • [COMMAND_EXECUTION]: The skill instructions guide the agent to perform high-level CLI operations that modify the system environment.
  • Instructions include global installation of the runtime (npm install -g @portel/photon) and management of background daemons.
  • [DATA_EXFILTRATION]: The dependency injection system automatically maps environment variables to constructor parameters.
  • references/dependency-injection.md describes how private apiKey: string maps to PHOTON_NAME_APIKEY, which could lead to accidental exposure of credentials if the generated photon logic or logging is compromised.
  • [INDIRECT_PROMPT_INJECTION]: Several examples provided in the skill demonstrate the ingestion of untrusted data from external sources.
  • Example 2 in references/examples.md is a web scraper that fetches data from user-provided URLs.
  • Example 3 in references/examples.md fetches GitHub issues and passes them directly to an AI model for categorization.
  • Ingestion points: WebScraper.run (URL input), IssueTriage.run (GitHub repo input).
  • Boundary markers: No explicit sanitization or strict boundary markers are shown in the example code snippets to prevent malicious data from influencing the agent's logic.
  • Capability inventory: The framework has access to the filesystem (via @mcp fs), network (via fetch), and task scheduling (this.schedule).
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 17, 2026, 03:40 AM