sveltia-cms
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Significant indirect prompt injection surface detected. The skill provides templates to configure Sveltia CMS to ingest untrusted data from Git repositories (Ingestion points: 'folder' fields in 'templates/collections/*.yml'). The architecture requires high-privilege OAuth scopes such as 'repo' and 'write_repository' (Capabilities: documented in 'references/authentication-guide.md'), which allow for repository modifications. Adversarial content in processed files could influence agent behavior or trigger unauthorized file writes. No boundary markers or sanitization mechanisms are included in the provided templates.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill references external scripts from 'unpkg.com' and repositories from 'github.com/sveltia'. Since these sources are not in the predefined trust scope, they represent unverifiable dependencies and potential supply chain risks.
- [COMMAND_EXECUTION] (LOW): Initialization scripts ('scripts/init-sveltia.sh') and version checkers ('scripts/check-versions.sh') perform shell operations and network requests to the npm registry. While standard for setup, they involve external data interaction and file system modifications.
Recommendations
- AI detected serious security threats
Audit Metadata