fullstack-workspace-init
Warn
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/init-workspace.pyusessubprocess.runto execute shell commands, specifically callingpython3to run internal and external initialization scripts. - [REMOTE_CODE_EXECUTION]: The
scripts/init-workspace.pyscript attempts to execute a file located at~/.codex/skills/agent-folder-init/scripts/scaffold.py. This behavior involves running code from a path outside the skill's own directory structure, which introduces a dependency on the security and integrity of that external location. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by generating application code (NextJS components, NestJS services, etc.) based on a user-provided project 'brief'.
- Ingestion points: The user-provided project description via the
--briefargument inscripts/init-workspace.pyand the intake workflow described inSKILL.md. - Boundary markers: There are no explicit boundary markers or 'ignore' instructions used to separate the user-provided brief from the generation logic.
- Capability inventory: The skill possesses the capability to write files to the local file system and execute subprocesses (e.g.,
bun install). - Sanitization: The skill performs basic string transformations for naming but lacks robust sanitization of the logical content extracted from the user brief before it is interpolated into code templates.
Audit Metadata