live-preview
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands constructed from user-supplied arguments or inferred from project configuration files. This allows for arbitrary command execution on the host system.
- [DATA_EXFILTRATION]: The skill automates the creation of a public ingress tunnel to the local machine. This allows anyone with the generated URL to access local services and potentially exfiltrate sensitive data or environment information.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by trusting the contents of project files or repository documentation to define its execution plan.
- Ingestion points: Reads
package.json,pyproject.toml,requirements.txt,Cargo.toml,go.mod, and repository documentation. - Boundary markers: None. The skill does not use delimiters to separate trusted instructions from untrusted file content.
- Capability inventory: Full
Bashaccess, allowing for arbitrary process creation and file system modification. - Sanitization: None. Data from files is used directly to determine the dev/start command.
- [EXTERNAL_DOWNLOADS]: The workflow involves downloading and installing third-party binaries (
cloudflared,ngrok). While these are well-known services, the automated installation process via shell commands poses a risk if the installation source or integrity is not verified.
Recommendations
- AI detected serious security threats
Audit Metadata