jsonlogic-validator
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The script
scripts/test-jsonlogic.jsallows execution of Node.js logic and performs local file reads using thefsmodule. It accepts file paths for rules, data, and test cases without implementing path sanitization or restriction to a specific directory. - Evidence: File
scripts/test-jsonlogic.jslines 107, 137, and 154 usefs.readFileSyncon paths provided via CLI arguments--file,--data, and--test-file. - EXTERNAL_DOWNLOADS (LOW): The skill documentation and scripts depend on the external NPM package
json-logic-js. While this is a standard industry library, the installation is unversioned and performed from a public registry. - Evidence:
SKILL.mdinstructions recommendnpm install json-logic-js, andscripts/test-jsonlogic.jsrequires it at line 14. - PROMPT_INJECTION (LOW): The skill exhibits a surface for Indirect Prompt Injection by ingesting and processing untrusted data and files.
- Ingestion points:
scripts/test-jsonlogic.jsaccepts JSON strings and file contents via command-line arguments (rule,data,--test-cases). - Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the processed JSON data.
- Capability inventory: Local file read access via
fs.readFileSyncinscripts/test-jsonlogic.js. - Sanitization: The script validates that input is parseable JSON but does not sanitize the content or the file paths against directory traversal.
Audit Metadata