zod-4
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Privilege Escalation] (HIGH): The skill requests
BashandTaskin itsallowed-toolslist. Granting an agent command execution capabilities for a simple collection of schema patterns is a violation of the principle of least privilege and introduces significant security risk. - [Metadata Poisoning] (MEDIUM): The skill claims to document 'Zod 4', which is currently fictional or non-standard, and provides 'NEW' syntax (e.g.,
z.email()) that contradicts the standard library. This deceptive metadata can cause the agent to generate broken code and behave unpredictably. - [Indirect Prompt Injection] (HIGH): Mandatory Evidence Chain:
- Ingestion points: Zod schemas are primarily used to parse and validate untrusted external data from users or APIs.
- Boundary markers: None identified in the skill instructions.
- Capability inventory: The skill requests
Bash,Write,WebFetch, andTaskpermissions. - Sanitization: None provided for the data being parsed.
- Analysis: By combining the processing of untrusted data with high-privilege execution and network tools, the skill creates a dangerous surface for indirect prompt injection attacks.
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The inclusion of
WebFetchandWebSearchinallowed-toolsfor a pattern library allows the agent to ingest external content that could contain further malicious instructions or lead to data exfiltration.
Recommendations
- AI detected serious security threats
Audit Metadata