zavu-rules
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation references several vendor-owned libraries and packages, including the Python package 'zavudev', the Node.js package '@zavudev/sdk', and the Go SDK at 'github.com/zavudev/sdk-go'.
- [COMMAND_EXECUTION]: The skill includes instructions to add an MCP server using the 'npx' command to run the '@zavudev/sdk-mcp' package directly in the terminal environment.
- [REMOTE_CODE_EXECUTION]: The MCP server exposes an 'execute' tool designed to run arbitrary TypeScript code against the authenticated Zavu client, which constitutes a dynamic execution capability.
- [PROMPT_INJECTION]: The skill's primary function is to handle multi-channel messaging (SMS, WhatsApp, Email, etc.), which creates a surface for indirect prompt injection as the agent processes untrusted data from external senders.
- Ingestion points: Incoming message content from SMS, WhatsApp, Telegram, Email, and Instagram channels as described in SKILL.md.
- Boundary markers: No specific delimiters or instructions are provided to distinguish between system instructions and message content.
- Capability inventory: Includes file system access via CLI tools and dynamic TypeScript execution via the MCP 'execute' tool.
- Sanitization: The skill documentation does not outline any procedures for sanitizing or escaping the content of messages before they are processed by the AI agent.
Audit Metadata