astro
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill instructs the user to run 'npm create astro@latest'. This command fetches and executes code from the npm registry without a pinned version, creating a vulnerability to supply chain attacks where a compromised 'latest' version could execute malicious code on the host system.
- [Indirect Prompt Injection] (HIGH):
- Ingestion points: The skill processes content collections and configuration files (e.g., '.astro', '.md', '.mdx', 'astro.config.*') which may contain untrusted data from external contributors or sources.
- Boundary markers: The skill lacks explicit instructions for the agent to use delimiters or ignore embedded instructions within processed data files.
- Capability inventory: The skill guides the agent to execute shell commands ('astro check', 'astro build') and modify project files based on the processed content.
- Sanitization: No sanitization or validation of untrusted content is mentioned before it is parsed or rendered by the agent.
- [Command Execution] (MEDIUM): The skill extensively uses shell commands like 'astro add' and 'create astro', which allow the agent to influence the host environment and install additional packages dynamically.
Recommendations
- AI detected serious security threats
Audit Metadata