genkit
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): Step 1 of the skill recommends installing the Genkit CLI using
curl -sL cli.genkit.dev | bash. This 'piped remote execution' pattern is dangerous because it executes unverified scripts from the internet directly on the host machine without integrity checks. - EXTERNAL_DOWNLOADS (MEDIUM): The skill requires installing multiple Node.js packages (
genkit,@genkit-ai/google-genai,genkit-cli) from external registries, increasing the software supply chain attack surface. - COMMAND_EXECUTION (LOW): The skill utilizes command-line tools like
npm,npx, andgenkit startto initialize projects and run development servers, which involve executing shell commands with user-defined paths. - PROMPT_INJECTION (LOW): The skill provides templates for building RAG pipelines and tool-calling agents, which are inherently vulnerable to indirect prompt injection from untrusted data sources.
- Ingestion points: Data enters the agent via
inputSchemain flows and through external tool outputs (e.g., thefetchWeatherexample). - Boundary markers: No explicit delimiters or boundary markers are used in the prompt templates to separate instructions from untrusted data.
- Capability inventory: The agents created can perform network operations (fetch) and execute arbitrary code via the flow runner.
- Sanitization: The provided examples do not demonstrate any sanitization or validation of external content beyond schema definition.
Recommendations
- AI detected serious security threats
Audit Metadata