dev-serve
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/dev-serve.shextracts the 'scripts.dev' value from a repository'spackage.jsonand executes it within a tmux session usingtmux send-keys. This allows for arbitrary code execution if the skill is run against a repository containing a malicious 'package.json' file. - [PROMPT_INJECTION]: The skill is vulnerable to indirect injection via untrusted repository metadata and file system paths.
- Ingestion points: The script reads the
scripts.devfield frompackage.jsonand the repository's folder name (viabasename). - Boundary markers: No boundary markers or 'ignore' instructions are used when interpolating these values into commands.
- Capability inventory: The script possesses capabilities to execute arbitrary shell commands via
tmux, modify local configuration files usingsed, and interact with the Caddy web server's administrative API viacurl. - Sanitization: The script performs no sanitization or escaping on the folder name or the 'package.json' content before using them in
sedcommands or shell execution strings. A maliciously named folder could potentially result in configuration injection or file corruption. - [DATA_EXFILTRATION]: The skill's core functionality involves exposing local ports to a network-facing domain via a Caddy reverse proxy. While this is the intended purpose, it may inadvertently expose sensitive local development services to the internet or local network if the
DEV_SERVE_DOMAINis not carefully managed.
Audit Metadata