sync-docs
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill is explicitly instructed to 'Run project commands mentioned in docs to verify they work' and is granted access to
Bash(npm*)andBash(yarn*). This allows for the execution of arbitrary scripts defined in a project's configuration or described in its documentation. - [REMOTE_CODE_EXECUTION] (MEDIUM): By allowing the use of package managers like npm and yarn on potentially untrusted codebases, the skill is vulnerable to executing malicious lifecycle scripts (e.g., preinstall, postinstall) if it triggers an installation or runs a compromised project script.
- [DATA_EXFILTRATION] (LOW): The combination of broad file read access (
Read(*)) and network access (WebFetch(*)) provides a functional path for data exfiltration, although the intended use case is described as link validation. - [PROMPT_INJECTION] (LOW): The skill is highly susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted data from the codebase and uses it to determine its next actions without sanitization.
- Ingestion points: Any file within the project directory accessed via
Read(*),Glob(*), orGrep(*). - Boundary markers: None; there are no instructions to the agent to treat documentation content as data rather than instructions.
- Capability inventory: Includes file system modification (
Write,Edit), network access (WebFetch), and shell execution (Bash). - Sanitization: None; the process explicitly trust commands found in project documentation.
Audit Metadata