sync-docs
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is susceptible to indirect prompt injection through untrusted data sources.
- Ingestion points: Processes project files via
Read(*),Glob(*), andGrep(*), and external web content viaWebFetch(*). - Boundary markers: None. The instructions do not define delimiters or provide warnings to ignore embedded instructions in the ingested data.
- Capability inventory: Includes
Write(*),Edit(*), andBash(npm/yarn*)which allow for file modification and command execution. - Sanitization: None detected. The agent is instructed to "Run project commands mentioned in docs to verify they work", which directly transforms untrusted text into executable actions.
- COMMAND_EXECUTION (HIGH): The tool allows execution of
npmandyarn. These tools can trigger arbitrary lifecycle scripts (e.g.,preinstall,test) defined in apackage.json. If an attacker-controlled file is processed, the agent may execute arbitrary code on the host system. - DATA_EXFILTRATION (MEDIUM): The skill has
Read(*)access to all files andWebFetch(*)access to any domain. An attacker could use indirect prompt injection to trick the agent into reading sensitive files (like.envor SSH keys) and sending them to a remote server via a GET or POST request. - EXTERNAL_DOWNLOADS (LOW): The skill uses
WebFetch(*)to validate links and refresh documentation. While intended for documentation, it provides a vector for the agent to interact with malicious external servers.
Recommendations
- AI detected serious security threats
Audit Metadata