dify-dsl-generator
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill acts as a generator that transforms untrusted natural language requirements into executable Dify DSL files. \n
- Ingestion points: User-provided business requirements and process descriptions. \n
- Boundary markers: Absent. There is no mechanism to prevent malicious instructions from being embedded into the generated DSL's prompts or nodes. \n
- Capability inventory: The generated workflows can include 'Code' nodes (Python execution), 'HTTP Request' nodes, and 'Tool' nodes (specifically MCP integration via junjiem/mcp_sse), providing a significant surface for post-import exploitation. \n
- Sanitization: Absent. User input is directly converted into configuration logic without escaping or validation. \n- Unverifiable Dependencies (MEDIUM): The skill is based on patterns from an untrusted external repository (github.com/wwwzhouhui/dify-for-dsl) and encourages the use of unverified marketplace plugins like junjiem/mcp_sse and bowenliang123/md_exporter. \n- Remote Code Execution (HIGH): By generating workflows that include the Model Context Protocol (MCP) and Python code nodes, the skill facilitates the creation of agents that can interact with the host system, which represents a high-risk surface if the generation process is manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata