electron-architect
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The script executes file system operations and generates configuration files using the $PROJECT_NAME variable. While variables are quoted in bash commands, they are not escaped for JSON context during file generation.
- [PROMPT_INJECTION] (LOW): The project name input is directly interpolated into a template for package.json. An attacker-controlled project name containing double quotes and additional fields (e.g., 'scripts.postinstall') could allow for arbitrary command execution when the generated project is initialized.
- [Indirect Prompt Injection] (LOW): Mandatory Evidence Chain: 1. Ingestion points: The PROJECT_NAME variable sourced from the first command-line argument. 2. Boundary markers: None present; the input is directly placed inside a JSON string field. 3. Capability inventory: The script creates a package.json with potential for auto-executing scripts and a main process with file read/write capabilities (fs/promises). 4. Sanitization: No input validation or escaping for JSON special characters is performed on the arguments.
Audit Metadata