turborepo
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-risk capability profile by combining file ingestion tools (
Read,Grep,Glob) with modification tools (Edit,Write) and execution tools (Bash(pnpm:*),Bash(turbo:*)). - Ingestion points: The agent reads untrusted data from the monorepo codebase (e.g.,
package.json,turbo.json, and source code). - Boundary markers: There are no defined boundary markers or instructions to ignore embedded commands in the processed files.
- Capability inventory: The agent can modify any file and execute
pnpmscripts. Sincepnpmcan execute any script defined in apackage.json, an attacker who can influence a file read by the agent (via a PR, issue, or malicious file in the repo) could lead the agent to modify a script and run it. - Sanitization: No sanitization or validation of the monorepo content is performed before interpolation or execution.
- Command Execution (MEDIUM): Although the
Bashtool is restricted topnpm:*andturbo:*, these tools are inherently capable of executing arbitrary shell commands defined inscriptssections of configuration files. This restriction provides a false sense of security if the agent can be coerced into modifying those scripts. - Data Exposure (LOW): The documentation explicitly encourages the inclusion of sensitive keys such as
STRIPE_SECRET_KEYandDATABASE_URLinturbo.jsonconfigurations. While standard for Turborepo, this makes these secrets prominent targets for the agent's file-reading capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata