bring-shopping
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the 'bring-shopping' npm package, which is an unofficial third-party library used to interact with the Bring! API.\n- [COMMAND_EXECUTION]: The skill executes a local Node.js CLI script ('scripts/bring_cli.mjs') to perform list operations, which involves shell execution by the agent.\n- [PROMPT_INJECTION]: The skill ingests external data from the Bring! API (list names and items), creating a potential surface for indirect prompt injection.\n
- Ingestion points: External data is fetched using 'bring.loadLists()' and 'bring.getItems()' in 'scripts/bring_cli.mjs'.\n
- Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are used when processing the retrieved list content.\n
- Capability inventory: The skill has the ability to execute shell commands and access environment variables.\n
- Sanitization: There is no evidence of sanitization or validation of the content retrieved from the external API before it is presented to the agent.
Audit Metadata