opportunity-solution-tree-builder
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs users to use
npx ost-builder. This command downloads and runs a package from the npm registry at runtime. The author ('trinixlabs') is not a trusted source, making this an unverifiable remote code execution risk. - COMMAND_EXECUTION (LOW): The skill documentation provides specific command-line instructions for visualizing Opportunity Solution Trees.
- PROMPT_INJECTION (LOW): The skill processes user-provided Markdown data, creating an indirect prompt injection surface.
- Ingestion points: Markdown formatted text for tree construction in SKILL.md and references/ost-markdown.md.
- Boundary markers: None.
- Capability inventory: Suggested CLI tool execution.
- Sanitization: No sanitization or validation of the input Markdown is specified beyond syntax checks for the tool.
Audit Metadata