100Critical
The skill executes arbitrary code via dynamic evaluation and shell commands, performs unauthorized file system traversal, and initiates unmonitored network requests, creating a severe risk of remote code execution.
Skill Info
Namemicrosoft/power-cat-skills/eval-generator-code-app
Registrygithub
Versionc0fdc41b7fc0
PURLpkg:github/microsoft/power-cat-skills@c0fdc41b7fc0?skill=eval-generator-code-app
Stars21
Installs2
Source
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
GitHub
1 installs
Skills.shDocs
npx skills add https://github.com/microsoft/power-cat-skillsAssessments (6)
AI Agent Traps ↗Detected use of eval() or Function() constructor with dynamic input. This can lead to code injection if the input is user-controlled. Avoid eval() entirely. Use JSON.parse() for data deserialization or a safe expression evaluator for computed values.criticalvuln
Detected use of eval() or Function() constructor with dynamic input. This can lead to code injection if the input is user-controlled. Avoid eval() entirely. Use JSON.parse() for data deserialization or a safe expression evaluator for computed values.
95% confidenceline 116
eval()
Regular expression matches a hostname but isn't anchored with both `^` and `$`. The pattern matches anywhere in the input — `/example\.com/.test("evil.com/example.com/path")` succeeds even though the URL's host is `evil.com`. Anchor with `^…$`, or use a URL parser instead of a regex.mediumvuln
Regular expression matches a hostname but isn't anchored with both `^` and `$`. The pattern matches anywhere in the input — `/example\.com/.test("evil.com/example.com/path")` succeeds even though the URL's host is `evil.com`. Anchor with `^…$`, or use a URL parser instead of a regex. (seen 2 times in this file at lines 80, 128)
95% confidenceline 80
/fetch\s*\(\s*['"`]https?:\/\//
User input from an Express request is used to construct a file path. This could allow an attacker to read or write arbitrary files using path traversal sequences like '../'. Use path.resolve() with a base directory and validate the result stays within the intended directory, or use path.basename() to strip directory components.criticalvulnAML.T0037AML.T0050LLM06:2025
User input from an Express request is used to construct a file path. This could allow an attacker to read or write arbitrary files using path traversal sequences like '../'. Use path.resolve() with a base directory and validate the result stays within the intended directory, or use path.basename() to strip directory components.
95% confidenceline 144
taint source (line 129): d.name → sink: writeFileSync(dashboardPath, html
JavaScript dynamic code execution (new Function / setTimeout/setInterval with a string body)highcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025
JavaScript dynamic code execution (new Function / setTimeout/setInterval with a string body) (seen 2 times in this file at lines 577, 705)
100% confidenceline 577
new Function(
Potential for arbitrary code execution via generated runnershighcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025
The skill generates and executes shell scripts (`run-evals.ts`, `security-runner.ts`) that use `execSync` to run `npx tsx`. This creates a persistent mechanism for executing arbitrary code within the user's environment.
90% confidenceline 875
execSync('npx tsx runner/presence-runner.ts', { cwd: ROOT, encoding: 'utf-8', timeout: 60_000 });child_process module imported — any exec/execSync/spawn call executes OS commandshighcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025
child_process module imported — any exec/execSync/spawn call executes OS commands
95% confidenceline 170
import('child_process')Over-privileged file system accessmediumdescription mismatchAML.T0011.000LLM06:2025LLM09:2025
The skill claims to generate an eval suite for a specific project, but the instructions require it to walk the entire project root and potentially access sensitive files like `package.json` and `power.config.json` to perform security scans.
70% confidence
Use glob on src/ to identify: ... power.config.json exists
Tool shadowing of built-in file operationsmediumtool shadowing
The skill instructs the agent to use its own custom logic for file discovery and analysis (e.g., 'Use glob on src/ to enumerate all files') instead of relying on standard platform tools, which can be used to bypass security monitoring of file access patterns.
80% confidence
Use glob on src/ to enumerate all files
Undeclared network usage via m365_download_filemediumdescription mismatchAML.T0011.000LLM06:2025LLM09:2025
The skill instructions reference `m365_download_file` and `m365_search_files`, which imply network access to Microsoft 365, but these tools are not declared in the allowed-tools manifest.
85% confidence
Use m365_download_file (resolve file ID with m365_search_files first).
Outbound network request primitive in skill code — can transmit data externallylowdata exfiltrationAML.T0025AML.T0024LLM02:2025
Outbound network request primitive in skill code — can transmit data externally
95% confidenceline 81
fetch()
Indirect prompt injection via external requirementshighindirect prompt injection
The skill accepts external requirements documents (local files, OneDrive/SharePoint URLs) and uses them to generate code and test suites, allowing an attacker to inject malicious instructions into the generated eval files.
90% confidence
Requirements document — OPTIONAL. One of: Local file path... OneDrive / SharePoint URL
Unpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtimemediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025
Unpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtime (seen 12 times in this file at lines 34, 38, 180, 184, 188, 289, 875, 890, 932, 1086, …)
100% confidenceline 34
npx power-apps
Missing licenseinfopolicy violation
Skill does not specify a license field. Specifying a license helps users understand usage terms.
100% confidence
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/microsoft/power-cat-skills/eval-generator-code-app)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/microsoft/power-cat-skills/eval-generator-code-app"><img src="https://mondoo.com/ai-agent-security/api/badge/github/microsoft/power-cat-skills/eval-generator-code-app.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/microsoft/power-cat-skills/eval-generator-code-app.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow