Skills
skills/winsorllc/upgraded-carnival/json-tools/Gen Agent Trust Hub

json-tools

Warn

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The json.js file contains a filterArray function that utilizes the new Function constructor to evaluate strings provided as command-line arguments. This allows for arbitrary JavaScript execution if a malicious filter string is passed to the script.
  • [COMMAND_EXECUTION]: The SKILL.md file contains numerous examples of executing shell commands via python3 -c, node -e, and jq. These patterns represent a risk of command injection if the input data or arguments provided to these tools are not strictly sanitized.
  • [EXTERNAL_DOWNLOADS]: Examples in SKILL.md demonstrate fetching data from external URLs using curl (e.g., api.example.com/data), which introduces the risk of the agent interacting with and processing untrusted remote content.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 1, 2026, 05:11 AM