Skills
skills/vchirrav/product-security-ai-skills/sast-eslint-security/Gen Agent Trust Hub

sast-eslint-security

Fail

Audited by Gen Agent Trust Hub on Feb 14, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill ingests untrusted code from target-path. Malicious instructions within comments in the scanned code can be reflected in the scan results and mislead the agent. Evidence: 1. Ingestion: target-path content. 2. Boundaries: None. 3. Capabilities: Shell execution, file writing. 4. Sanitization: None.
  • Command Execution (MEDIUM): The skill executes npx eslint via shell. If the target-path is not sanitized, an attacker could execute arbitrary commands via shell injection.
  • External Downloads (LOW): Uses npx and npm to install/run linting tools. While the sources are trusted, runtime downloads via npx lack version pinning by default.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 14, 2026, 03:24 PM