crockford-good-parts
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Obfuscated zero-width characters are embedded in the headers of 'SKILL.md' and 'references/philosophy.md'.\n
- Evidence: The header '# Douglas Crockford Style Guide' in 'SKILL.md' and '# Douglas Crockford Philosophy' in 'references/philosophy.md' contain hidden sequences of U+200B (Zero Width Space), U+200C (Zero Width Non-Joiner), U+200D (Zero Width Joiner), and U+2060 (Word Joiner). These characters decode to binary data that includes the string 'SK1LL.PW', pointing to a potentially malicious domain.\n- [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection through its JavaScript analysis tool.\n
- Ingestion Point: 'scripts/jslint_check.js' reads external files using 'fs.readFileSync'.\n
- Boundary Markers: The script does not use any boundary markers or instructions to the agent to ignore content inside the target file.\n
- Capability Inventory: The script uses regular expressions to analyze code. The results are formatted into a report for the agent, providing a vector where malicious code comments in the analyzed file could influence the agent's behavior or output.\n
- Sanitization: No sanitization or escaping of the target file's content is performed before generating the report.
Recommendations
- AI detected serious security threats
Audit Metadata