Skills
skills/rdmptv/adbautoplayer/moai-library-toon/Gen Agent Trust Hub

moai-library-toon

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • COMMAND_EXECUTION (HIGH): The skill's primary specification (TOON v4.0) explicitly supports and encourages arbitrary shell command execution via a dedicated exec field in its YAML-based definitions.
  • Evidence in SKILL.md: The 'Menu Command Types' table lists exec for 'Run shell command'.
  • Evidence in SKILL.md: Example implementation shows - trigger: run-tests, exec: "pytest tests/ -v --cov" and - trigger: another-command, exec: "shell command to execute".
  • Risk: An agent interpreting these TOON definitions is instructed to execute arbitrary strings as system commands, leading to total system compromise if the source file is malicious.
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill promotes the installation of third-party packages from NPM and PyPI that are not part of the trusted source list.
  • Evidence in README.md: Instructions to run npm install @toon-format/toon, pip install toon-format, and npm install -g @toon-format/cli.
  • Evidence in modules/core.md: Instructions to run uv pip install toon_format tiktoken.
  • REMOTE_CODE_EXECUTION (HIGH): The combination of the exec capability and the workflow trigger (which loads and potentially executes remote YAML files) facilitates multi-stage RCE.
  • Evidence in SKILL.md: The workflow trigger allows loading definitions from paths like {project-root}/.claude/workflows/.../workflow.yaml. If these paths are controlled by an attacker (e.g., via a PR or untrusted data), the agent will execute the commands defined within them.
  • INDIRECT PROMPT INJECTION (LOW): The skill is designed to ingest and process external data for encoding/decoding, creating a surface for injection attacks.
  • Ingestion points: modules/advanced-patterns.md (validate, toon_to_json, compress_documents) and modules/core.md (decode).
  • Boundary markers: Absent. There is no evidence of delimiters or instructions for the agent to ignore content within the TOON data.
  • Capability inventory: Arbitrary shell execution (exec), file reading (data), and workflow loading (workflow) as defined in SKILL.md.
  • Sanitization: Absent. The provided Python conversion logic does not sanitize input strings before processing or potentially passing them to an execution engine.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:37 PM