custom-code-management
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Prompt Injection] (LOW): The skill exhibits an indirect prompt injection surface by facilitating the ingestion of user-provided script content that is then deployed to a production environment. \n
- Ingestion points: The 'Add Script' workflow in SKILL.md where the user provides the 'code' parameter. \n
- Boundary markers: Absent; the skill does not include delimiters or specific instructions for the agent to ignore potentially malicious embedded directives within the provided code. \n
- Capability inventory: The
add_inline_site_scripttool provides the ability to modify the client-side behavior of a remote website. \n - Sanitization: Basic validation is present (character count check and exclusion of
<script>tags), but there is no scanning of the script content for malicious logic or patterns. \n- [Remote Code Execution] (MEDIUM): The skill allows for the deployment of arbitrary executable logic to a remote CMS platform. This is a high-privilege operation that is the primary purpose of the skill, but it poses an inherent risk of facilitating the delivery of malicious payloads if the agent is manipulated via prompt injection or if the data source is compromised.
Audit Metadata