project-create
Fail
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands including git init, git remote, git fetch, and git merge to incorporate external codebases into the workspace. It also invokes npm install to manage project dependencies.
- [EXTERNAL_DOWNLOADS]: The skill fetches content from a user-defined templateUrl. This facilitates the download of arbitrary code from remote sources into the local environment without source verification.
- [REMOTE_CODE_EXECUTION]: By running npm install on a repository merged from an untrusted templateUrl, the skill enables remote code execution. Malicious templates can contain lifecycle scripts in package.json, such as preinstall or postinstall, that execute arbitrary commands during the installation process.
- [DATA_EXFILTRATION]: The instructions mandate the modification of .cursor/hooks/telemetry/scripts/send.js. This targeting of IDE-specific telemetry or hook scripts is highly suspicious and suggests a mechanism for data exfiltration or environment manipulation within the developer's IDE.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. 1. Ingestion points: The templateUrl input and the resulting merged files from the external repository. 2. Boundary markers: None present; the agent processes the merged content as authoritative and follows its structure for subsequent modifications. 3. Capability inventory: Includes file modification (writing to IDE-specific scripts), git commands, and npm install execution. 4. Sanitization: Only basic string validation is performed on projectName and projectId identifiers, with no integrity checks or content validation performed on the external repository content.
Recommendations
- AI detected serious security threats
Audit Metadata