docusaurus-generator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies (HIGH): The skill installs the
@easyops-cn/docusaurus-search-localpackage. Unlike the official Docusaurus packages, this dependency originates from an untrusted third-party organization (easyops-cn), posing a risk of supply chain compromise. - Remote Code Execution (LOW): The skill executes
npx -y create-docusaurus@latest. While this downloads and executes remote code, Docusaurus is maintained by a trusted organization (Meta/Facebook), which downgrades the severity of the download itself per [TRUST-SCOPE-RULE]. - Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface for indirect injection.
- Ingestion points: The skill reads
package.json,README.md, and project files viafindandcatin Step 1. - Boundary markers: None are present in the instructions to prevent the agent from obeying instructions embedded within the documented files.
- Capability inventory: The skill has extensive capabilities, including
npm install,npm run start/build/serve, and the ability to write arbitrary files to thedocs-site/directory. - Sanitization: No sanitization or validation of the ingested project data is performed before it is used to influence the documentation structure or configuration.
- Command Execution (MEDIUM): The skill frequently uses shell commands like
find,ls, andjqto inspect the environment. While necessary for its function, these commands are executed on potentially attacker-controlled directory structures and file contents.
Recommendations
- AI detected serious security threats
Audit Metadata