umbraco-skill-validator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from repository files and processes it via an AI subagent to generate fix plans.
- Ingestion points: The skill reads all
SKILL.mdfiles in the repository as part of its core validation workflow. - Boundary markers: No explicit delimiters or instructions are provided to the subagent to disregard natural language instructions found within the scanned data.
- Capability inventory: The agent has access to
Edit,Bash, andTasktools, allowing it to modify the filesystem and execute commands based on potentially malicious input. - Sanitization: There is no evidence of sanitization or filtering of the scanned file content before it is passed to the AI fixer subagent.
- [Remote Code Execution] (MEDIUM): The workflow requires running
npm installand executing a local TypeScript script (validate-links.ts) usingnpx tsx. - While the listed dependencies in
package.jsonare common, the actual logic of the validation script is not provided for inspection, posing a risk if the script is modified by an attacker in the repository. - [Command Execution] (LOW): The skill uses the
Bashtool to run validation scripts and install dependencies, which is a powerful capability that could be abused if the script logic is compromised or manipulated via injection. - [Data Exposure] (LOW): The skill performs external network requests (HTTP HEAD) to verify URLs. While legitimate for its purpose, this network capability could be misused to probe internal infrastructure or perform basic SSRF.
Recommendations
- AI detected serious security threats
Audit Metadata