pnpm
Fail
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill contains deceptive metadata, claiming to be authored by "Anthony Fu", a prominent open-source developer, whereas the actual author is identified by the platform as "liangmiQwQ". This misattribution represents a metadata poisoning finding that can lead to misplaced trust in the skill's security.
- [COMMAND_EXECUTION]: The skill provides instructions for executing scripts and binaries through
pnpm runandpnpm exec, which allows for arbitrary code execution on the user's system as part of its core package management functionality. - [REMOTE_CODE_EXECUTION]: The skill describes the functionality of
pnpm dlx, a command that downloads and executes packages from the npm registry, enabling the execution of remote code at runtime. - [EXTERNAL_DOWNLOADS]: The documentation guides the agent to fetch external packages and configuration files from well-known registries and services (such as npm and GitHub), which is standard behavior for a package manager.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of project files combined with powerful system capabilities. \n- Ingestion points: Reads
package.json,pnpm-workspace.yaml, and.npmrcfiles from the project directory. \n- Boundary markers: Absent; there are no instructions to the agent to distinguish between trusted commands and untrusted data within these files. \n- Capability inventory: Includes the ability to install packages and execute scripts (pnpm install,pnpm run,pnpm dlx) across multiple reference documents. \n- Sanitization: Absent; the skill does not define any validation or escaping mechanisms for the data ingested from the configuration files.
Recommendations
- AI detected serious security threats
Audit Metadata