lavish
Warn
Audited by Gen Agent Trust Hub on Jul 1, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses 'npx -y lavish-axi' to fetch and execute the 'lavish-axi' package from the NPM registry at runtime. The '-y' flag bypasses user confirmation for the installation of the package.
- [REMOTE_CODE_EXECUTION]: By invoking 'npx' with an unverified third-party package, the skill executes remote code in the local environment. This tool is used for artifact serving, playbook retrieval, and processing user feedback.
- [COMMAND_EXECUTION]: The skill triggers multiple shell commands to create project directories ('.lavish/'), generate HTML files, and manage background processes for a local Express.js server and a feedback polling loop.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the 'npx -y lavish-axi poll' mechanism. * Ingestion points: The agent reads user annotations, feedback, and 'queued prompts' from an external browser session via the poll command in SKILL.md. * Boundary markers: There are no delimiters or instructions provided to the agent to treat the ingested feedback as untrusted content or to ignore embedded instructions. * Capability inventory: The agent has permissions to execute shell commands (npx), write files to the local disk, and manage network processes. * Sanitization: The skill does not describe any validation or sanitization of the data retrieved from the polling command before it is integrated into the agent's context.
Audit Metadata