librarian
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Dynamic Execution (MEDIUM): The
opensrc_executetool is designed to execute JavaScript code blocks on a server to perform repository analysis. This pattern essentially allows remote code execution (RCE) as a feature. While the API surface is documented, the underlying capability to execute arbitrary logic on the MCP server poses a security risk if the agent incorrectly interpolates user input into the code strings. - Indirect Prompt Injection (LOW): The skill is intended to ingest data from untrusted third-party repositories (GitHub, npm, PyPI, etc.).
- Ingestion points: External data enters the agent context through
opensrc.read,opensrc.readMany, andopensrc.grepinopensrc-examples.mdandopensrc-api.md. - Boundary markers: The instructions lack specific guidance on using delimiters or system-level instructions to ignore potential commands hidden within the analyzed source code (e.g., in README files).
- Capability inventory: The agent can execute complex logic via
opensrc_executeand has broad read access to the downloaded source trees. - Sanitization: No explicit sanitization or content validation is mentioned before the fetched source code is presented to the LLM for reasoning.
- External Data Fetching (LOW): The skill fetches code and packages from major public registries. According to the [TRUST-SCOPE-RULE], while the sources (GitHub, npm, etc.) are generally reputable, the content retrieved is untrusted and its ingestion into the prompt creates the vulnerability surface described in the Indirect Prompt Injection finding.
Audit Metadata