init-tauri-app
Fail
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The generated
scripts/release.shfile contains a pattern where remote JSON data from a GitHub release is piped directly into the Node.js interpreter for processing. While it uses a static one-liner to parse the data, this 'curl to interpreter' pattern is an insecure practice that can lead to code execution if the remote source or transmission is compromised. - Evidence:
curl -sL "https://github.com/$REPO/releases/latest/download/latest.json" | node -e "const d=JSON.parse(require('fs').readFileSync(0));..."inassets/modules/release-preflight/release.sh. - [REMOTE_CODE_EXECUTION]: The
mcp.jsonfile configuration usesnpx -yto download and execute an external package from an unverified third-party organization at runtime. - Evidence:
"command": "npx", "args": ["-y", "@hypothesi/tauri-mcp-server"]inassets/core/mcp.json. - [CREDENTIALS_UNSAFE]: The
release.shscript is designed to handle highly sensitive credentials, including App Store Connect API keys and Tauri signing private keys. It reads these directly from the environment and files, and explicitly logs missing variables, which increases the risk of credential exposure if the script or environment is mismanaged. - Evidence: Handling of
TAURI_SIGNING_PRIVATE_KEY_PASSWORD,APPLE_API_KEY,APPLE_API_ISSUER, andTAURI_SIGNING_PRIVATE_KEYread viacat "$KEY_PATH". - [DATA_EXFILTRATION]: The
release.shscript combines access to sensitive signing credentials with network operations (Git push and GitHub CLI release commands). This represents a high-risk surface where credentials could be exfiltrated if the script logic is maliciously modified. - [COMMAND_EXECUTION]: The skill makes extensive use of shell scripts (
render-jtbd.sh,preflight.sh,check-versions.sh) and build tools (npm,cargo,npx) that perform file system operations and network requests during the scaffolding and release process. - [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by ingesting user-controlled JSON files (
jtbd.json) and interpolating their raw contents into 'AGENTS.md', which serves as the canonical instruction set for subsequent AI agent operations in the project. - Ingestion points: The
jtbd.jsonfile is read from user-specified paths or discovered in the local directory. - Boundary markers: No delimiters or safety instructions are used to wrap the interpolated content.
- Capability inventory: The agent has full access to the project structure, including the ability to write scripts and execute build commands.
- Sanitization: No sanitization or validation is performed on the content of the JSON fields before they are rendered into instructions.
Recommendations
- HIGH: Downloads and executes remote code from: https://github.com/$REPO/releases/latest/download/latest.json - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata