skills/anentrypoint/spawnpoint/spoint/Gen Agent Trust Hub

spoint

Fail

Audited by Gen Agent Trust Hub on Feb 26, 2026

Risk Level: HIGHDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: The src/sdk/StaticHandler.js file contains a path traversal vulnerability in the createStaticHandler function. The implementation constructs file paths by joining a base directory with a path derived from the request URL without properly validating that the resulting path remains within the intended directory boundaries. An attacker can exploit this using .. sequences to read arbitrary files from the server filesystem that the Node.js process has permission to access.\n- [REMOTE_CODE_EXECUTION]: The application loading mechanism in src/apps/AppLoader.js uses a weak security boundary to validate game "app" code. The _validate function only checks for a small set of blocked string patterns (such as eval( and require(), which can be easily bypassed using standard JavaScript obfuscation techniques. The loader then executes this code using dynamic import() or new Function(), allowing for arbitrary code execution on the server hosting the SDK.\n- [REMOTE_CODE_EXECUTION]: The integrated 3D scene editor (client/editor/js/libs/app.js) evaluated script content using the new Function constructor. This could allow for arbitrary JavaScript execution in a user's browser if a malicious project file is loaded into the editor.\n- [EXTERNAL_DOWNLOADS]: The engine is configured to download 3D models and other assets from the author's official GitHub repository at https://raw.githubusercontent.com/AnEntrypoint/assets/. These downloads are processed by client/ModelCache.js and are handled as trusted vendor resources.\n- [COMMAND_EXECUTION]: The SDK includes a CLI tool bin/create-app.js for scaffolding applications. While functional, it constructs filesystem paths using unsanitized user-provided app names, which could lead to file write operations outside the intended directory. Additionally, the documentation suggests using commands like bunx spoint and node server.js to manage the environment.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 26, 2026, 05:17 PM
Security Audit — agent-trust-hub — spoint