Role/instruction override attempt detectedcriticalprompt injectionAML.T0051AML.T0051.000AML.T0051.001AML.T0054LLM01:2025

Role/instruction override attempt detected

100% confidenceline 2817

Ignore all previous instructions

Indirect prompt injection riskhighindirect prompt injection

The skill encourages the agent to run `npx depcheck` and `npx knip`, which execute arbitrary code from the npm registry. This is a classic indirect prompt injection vector where external, attacker-controlled code is executed in the agent's environment.

85% confidenceline 114

npx depcheck 2>/dev/null | head -20 || true

Remote code download and execution detectedcriticalcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

Remote code download and execution detected

100% confidenceline 3265

python -c "import urllib.request; urllib

Excessive shell command surfacehighcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

The skill provides a massive list of shell commands for auditing, including network-related tools and dependency scanners, which significantly exceeds the scope of a simple code review tool. [severity raised to high: this vector is independently flagged by both deterministic and LLM analysis (ADR-0065 corroboration).]

90% confidence

grep -r "api_key\|apikey\|API_KEY..." .

Unverified dependency installationhighsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025

The instructions explicitly command the agent to install packages via `npm install` and `npx` without version pinning or integrity checks, creating a supply chain risk. [severity raised to high: this vector is independently flagged by both deterministic and LLM analysis (ADR-0065 corroboration).]

90% confidenceline 677

npm install --save-dev eslint @eslint/js typescript-eslint

JavaScript dynamic code execution (new Function / setTimeout/setInterval with a string body)highcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

JavaScript dynamic code execution (new Function / setTimeout/setInterval with a string body)

100% confidenceline 2221

setInterval("

Outbound network request primitive in skill code — can transmit data externallyhighdata exfiltrationAML.T0025AML.T0024LLM02:2025

Outbound network request primitive in skill code — can transmit data externally

95% confidenceline 2

fetch('https://api.openai.com/v1/chat/completions', {
  headers: { 'Authorization': 'Bearer sk-abc123' }
})

Environment secret flows to a network sink (JS/TS)highdata exfiltrationAML.T0025AML.T0024LLM02:2025

Environment secret flows to a network sink (JS/TS)

95% confidenceline 15

taint source (line 10): process.env.LLM_BASE_URL → sink: fetch(`${config.llmBaseUrl}/chat/completions`, {
  headers: { 'Authorization': `Bearer ${config.llmApiKey}` }
})

Runaway agent loop — excessive retry counts, deep recursion, or self-recursive call patternsmediumresource abuseAML.T0029AML.T0034LLM10:2025

Runaway agent loop — excessive retry counts, deep recursion, or self-recursive call patterns

100% confidenceline 565

retry 400

User input is used to construct a URL for a server-side HTTP request. This could allow an attacker to make requests to internal services or cloud metadata endpoints (Server-Side Request Forgery). Validate URLs against an allowlist of permitted hosts and schemes.mediumvulnAML.T0053AML.T0049LLM06:2025LLM05:2025

User input is used to construct a URL for a server-side HTTP request. This could allow an attacker to make requests to internal services or cloud metadata endpoints (Server-Side Request Forgery). Validate URLs against an allowlist of permitted hosts and schemes.

95% confidenceline 15

taint source (line 10): process.env.LLM_BASE_URL → sink: fetch(`${config.llmBaseUrl}/chat/completions`, {
  headers: { 'Authorization': `Bearer ${config.llmApiKey}` }
})

User input is used to construct a URL for a server-side HTTP request. This could allow an attacker to make requests to internal services or cloud metadata endpoints (Server-Side Request Forgery). Validate URLs against an allowlist of permitted hosts and schemes.mediumvulnAML.T0053AML.T0049LLM06:2025LLM05:2025

User input is used to construct a URL for a server-side HTTP request. This could allow an attacker to make requests to internal services or cloud metadata endpoints (Server-Side Request Forgery). Validate URLs against an allowlist of permitted hosts and schemes.

95% confidenceline 19

taint source (line 6): req.headers['x-correlation-id'] → sink: fetch(upstreamUrl, {
  headers: { 'x-correlation-id': req.correlationId },
})

User-controlled input is concatenated into a SQL query string. This allows SQL injection where an attacker can modify the query structure. Use parameterized queries with placeholders ($1, ?) instead of string concatenation.criticalvuln

User-controlled input is concatenated into a SQL query string. This allows SQL injection where an attacker can modify the query structure. Use parameterized queries with placeholders ($1, ?) instead of string concatenation. (seen 2 times in this file at lines 16, 24)

95% confidenceline 16

taint source (line 16): idempotencyKey → sink: idempotencyKey

Detected use of raw SQL with string formatting in Django. This can lead to SQL injection. Use Django's ORM methods (filter, get, exclude) or use parameterized raw queries with RawSQL or cursor.execute() with %s placeholders and a params list.criticalvuln

Detected use of raw SQL with string formatting in Django. This can lead to SQL injection. Use Django's ORM methods (filter, get, exclude) or use parameterized raw queries with RawSQL or cursor.execute() with %s placeholders and a params list.

95% confidenceline 2

cursor.execute(f"SELECT * FROM users WHERE id = '{user_id}'")

User-controlled input is used in an HTTP response header. If the input contains CRLF characters, this enables HTTP response splitting. Validate header values by rejecting newline characters.criticalvuln

User-controlled input is used in an HTTP response header. If the input contains CRLF characters, this enables HTTP response splitting. Validate header values by rejecting newline characters.

95% confidenceline 8

taint source (line 6): req.headers['x-correlation-id'] → sink: correlationId

User-controlled input is used in an HTTP response header value. If the input contains CR/LF characters, this enables HTTP response splitting where an attacker can inject arbitrary headers or a second response body. Validate and sanitize header values by rejecting newline characters.criticalvuln

User-controlled input is used in an HTTP response header value. If the input contains CR/LF characters, this enables HTTP response splitting where an attacker can inject arbitrary headers or a second response body. Validate and sanitize header values by rejecting newline characters.

95% confidenceline 10

taint source (line 7): request.headers.get("x-correlation-id", str(uuid.uuid4())) → sink: correlation_id

Untrusted data flows to an external API call without validation. Data from sources like window.name, document.location, or other client-controlled inputs is passed to library functions that may interpret it in unsafe ways. Validate or sanitize all untrusted input before passing it to external APIs.mediumvuln

Untrusted data flows to an external API call without validation. Data from sources like window.name, document.location, or other client-controlled inputs is passed to library functions that may interpret it in unsafe ways. Validate or sanitize all untrusted input before passing it to external APIs.

95% confidenceline 15

taint source (line 10): process.env.LLM_BASE_URL → sink: fetch(`${config.llmBaseUrl}/chat/completions`, {
  headers: { 'Authorization': `Bearer ${config.llmApiKey}` }
})

Untrusted data flows to an external API call without validation. Data from sources like window.name, document.location, or other client-controlled inputs is passed to library functions that may interpret it in unsafe ways. Validate or sanitize all untrusted input before passing it to external APIs.mediumvuln

Untrusted data flows to an external API call without validation. Data from sources like window.name, document.location, or other client-controlled inputs is passed to library functions that may interpret it in unsafe ways. Validate or sanitize all untrusted input before passing it to external APIs.

95% confidenceline 19

taint source (line 6): req.headers['x-correlation-id'] → sink: fetch(upstreamUrl, {
  headers: { 'x-correlation-id': req.correlationId },
})

Unpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtimemediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025

Unpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtime (seen 17 times in this file at lines 114, 117, 120, 130, 858, 864, 1079, 1850, 2170, 2623, …)

100% confidenceline 114

npx depcheck

Unpinned dependency installation — package installed without version pinningmediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025

Unpinned dependency installation — package installed without version pinning

100% confidenceline 882

pip install pre-commit

Missing allowed-tools declarationlowunauthorized tool use

Skill executes commands, writes files, or accesses the network but declares no allowed-tools, so its tool surface cannot be reviewed or constrained.

90% confidence

Undeclared network usagelowunauthorized tool use

Skill contains network access patterns (HTTP requests, socket connections) without declaring network capability in allowed-tools.

60% confidence

Missing licenseinfopolicy violation

Skill does not specify a license field. Specifying a license helps users understand usage terms.

100% confidence

Missing or insufficient descriptioninfopolicy violation

Skill description is empty or too short. A clear description helps users evaluate the skill's purpose.

100% confidence

vibe-hardener

Threat Analysis

Skill Info

Install

Assessments (6)

Badge

Secure your AI agents