Skills
skills/toss/es-toolkit/compat-review/Gen Agent Trust Hub

compat-review

Warn

Audited by Gen Agent Trust Hub on Apr 3, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill fetches and applies external code changes using gh pr diff {number} --repo toss/es-toolkit | git apply. It then executes this unverified code through yarn vitest run. Since PRs can be submitted by any GitHub user, this represents an execution path for untrusted code.
  • [COMMAND_EXECUTION]: The workflow relies on several shell commands including gh, git, and yarn. These tools are used to modify the local filesystem and execute JavaScript/TypeScript code based on external inputs (PR numbers).
  • [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection. It instructs the agent to read the PR title and body (gh pr view) to determine the target function and required test cases. An attacker could embed malicious instructions in a PR description to influence the agent's reporting or behavior.
  • Ingestion points: Data enters the agent context via gh pr view output (PR title and body).
  • Boundary markers: None. The agent is instructed to "Extract directly from the PR description."
  • Capability inventory: Subprocess execution via Bash (gh, git, yarn, vitest) and file writing via Write tool.
  • Sanitization: None. The agent processes the raw PR text without filtering.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 3, 2026, 10:06 PM