pnpm
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill enables the agent to ingest and act upon untrusted project data, creating a significant attack surface.
- Ingestion points: reads
package.json,pnpm-workspace.yaml, and.npmrcfrom the working directory. - Boundary markers: Absent; there are no instructions to sanitize or ignore embedded commands in these files.
- Capability inventory: supports
pnpm install,pnpm run,pnpm exec, andpnpm dlxacross various reference files. - Sanitization: Absent; the agent is encouraged to follow configurations found in the files.
- Command Execution (HIGH): The skill facilitates the execution of arbitrary scripts defined in a project's manifest. A malicious user could define an 'install' or 'postinstall' script in a
package.jsonthat executes when the agent attempts a standard installation. - Remote Code Execution (HIGH): Support for
pnpm dlxallows for the fetching and immediate execution of remote packages. If an agent is coerced into running a malicious package name via this command, it results in full remote code execution on the host. - External Downloads (MEDIUM): The skill's purpose is to manage external dependencies. While standard, it facilitates the introduction of third-party code into the environment based on untrusted local configurations.
Recommendations
- AI detected serious security threats
Audit Metadata