biome-gritql
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (Category 8) (HIGH): The skill is designed to ingest and analyze untrusted project data while possessing the capability to modify files and execute shell commands.
- Ingestion points: Project files and codebase contents accessed via the
ReadandGlobtools. - Boundary markers: Absent. The skill does not define specific delimiters or instructions to prevent the agent from obeying instructions embedded in the code it is linting.
- Capability inventory: High-privilege access including
Bash(for running linter checks) andWrite/Edit(for creating/modifying rule files and project configurations). - Sanitization: None. The skill does not specify any validation or filtering of external content before processing it for linting rules.
- External Downloads (Category 4) (LOW): The skill instructions suggest using
bunx biome check, which triggers the download and execution of the@biomejs/biomepackage from the npm registry. - Command Execution (Category 5) (MEDIUM): The skill requests
Bashaccess to run linter commands, which could be exploited if the agent is tricked into executing malicious strings via indirect injection. - Metadata Poisoning (Category 7) (MEDIUM): The resources section includes a link to an external personal blog (
laulau.land) for 'Blog examples'. Directing an agent to read instructions from untrusted, non-official external sources increases the risk of the agent adopting malicious patterns or behavior-overriding instructions.
Recommendations
- AI detected serious security threats
Audit Metadata