nx-generate
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes arbitrary Nx generators based on user-provided or inferred names and options using
nx generate <generator-name> <options> --no-interactive. This allows for a wide range of file system and configuration changes. - [COMMAND_EXECUTION]: Uses
node -eto execute inline JavaScript for path resolution (node -e "console.log(require.resolve(...))"), which is a form of dynamic code execution via the terminal. - [COMMAND_EXECUTION]: Instructs the agent to run verification commands such as
nx lint,nx test, andnx build, which execute scripts defined in the repository's configuration files. - [REMOTE_CODE_EXECUTION]: While focused on Nx, the use of
npx nx listornx generatecan trigger the installation and execution of npm packages if the specified plugin is not locally available. - [PROMPT_INJECTION]: Indirect surface. The skill processes external data (generator schemas, repository source code, and user input) and maps it directly to execution flags. Evidence Chain:
- Ingestion points: User requests for generators, generator schema files, and local repository source code (SKILL.md).
- Boundary markers: Absent; there are no instructions to ignore embedded commands within the data being processed.
- Capability inventory: Shell command execution (
nx), file system modification, and dynamic Node.js execution (SKILL.md). - Sanitization: Absent; input is mapped directly to command-line arguments without escaping or validation logic.
Audit Metadata