typescript-expert
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). (1) Ingestion points: The check_any_usage and check_type_errors functions in scripts/ts_diagnostic.py capture and print code snippets and error messages from untrusted files in the src/ directory and configuration files. (2) Boundary markers: No delimiters or ignore instructions are used when printing file content to the agent context. (3) Capability inventory: The skill has the ability to execute shell commands and read project files, providing a high-privilege environment for injected instructions. (4) Sanitization: No sanitization or filtering is applied to the content extracted from the source files before it is displayed to the agent.
- COMMAND_EXECUTION (MEDIUM): The scripts/ts_diagnostic.py script uses subprocess.run(shell=True) to execute system commands. This is a dangerous pattern that can lead to command injection if the command strings are manipulated or contain shell metacharacters.
- REMOTE_CODE_EXECUTION (LOW): The diagnostic script runs npx tsc, which involves downloading and executing code from the npm registry. While the source is trusted (downgrading this specific finding to LOW per [TRUST-SCOPE-RULE]), the operation occurs within the context of an untrusted local repository and uses dynamic execution.
Recommendations
- AI detected serious security threats
Audit Metadata