features-documentation
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill uses
npxto executemarkdownlintandmarkdown-link-check, which download packages from the npm registry at runtime. These dependencies are not versioned or from a trusted source, posing a supply chain risk. - PROMPT_INJECTION (MEDIUM): An indirect prompt injection vulnerability exists because the skill extracts strings from code (
.ts,.tsx) and documentation headers (.md) to identify missing features. These strings are interpolated into the agent's context and status reports without sanitization. An attacker could craft feature names (e.g.,feature: "Ignore previous instructions") to manipulate the agent's logic or the behavior of thedocumentation-auditskill it invokes. 1. Ingestion points: Source code and markdown files viagrep. 2. Boundary markers: None used in the status summary. 3. Capability inventory: git diff, shell utilities, npx execution, and skill triggering. 4. Sanitization: None. - DATA_EXFILTRATION (LOW): The
markdown-link-checkutility automatically visits URLs found in the documentation. This could be used to trigger network requests to arbitrary external servers, potentially leaking project structure or environment details via URL parameters. - COMMAND_EXECUTION (LOW): The skill uses standard shell utilities like
find,grep, andsedto process local files. While used for its core logic, this represents a surface for shell injection if file contents or names are maliciously crafted to break command structures.
Audit Metadata