baoyu-electron-extract
Pass
Audited by Gen Agent Trust Hub on May 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using
bunornpxto run the main extraction script and invokes external utilities for asar extraction and code formatting. - [EXTERNAL_DOWNLOADS]: The script dynamically downloads and executes well-known packages
@electron/asarandprettierfrom the npm registry usingnpx -y. - [PROMPT_INJECTION]: The skill processes external, potentially untrusted application code and source maps, which represents an indirect prompt injection surface.
- Ingestion points: Reads
.asarbundles and.js.mapfiles from local application directories (scripts/main.ts). - Boundary markers: No specific delimiters are added to the extracted content.
- Capability inventory: Includes file system write access and subprocess execution via
npx. - Sanitization: Employs path normalization and validation logic (
isSafeRelativePath,restoredTargetPath) to mitigate directory traversal risks. - [SAFE]: The skill includes security-focused logic such as
assertSafeOutputDirto prevent overwriting critical system directories and validates that the output path is related to the application being processed.
Audit Metadata