saju-fortune
Warn
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of a third-party npm package named
saju-fortune. This package is not from a verified or well-known service provider, introducing a dependency on unverified external code. - [COMMAND_EXECUTION]: The skill uses shell commands to manage the environment and execute logic, specifically instructing the agent to run
npm install -g saju-fortuneand piping JavaScript code into the Node.js interpreter via shell heredocs (`node - <<'JS'`).
- [REMOTE_CODE_EXECUTION]: The workflow involves downloading external code and executing it dynamically. Furthermore, the skill template interpolates user-provided data (like names and birth dates) directly into a JavaScript string literal within a shell command. If the user provides input containing escape characters or quotes (e.g.,
", (function(){...})(), "), it could lead to arbitrary code execution within the Node.js process.
Audit Metadata