skills/nomadamas/k-skill/saju-fortune/Gen Agent Trust Hub

saju-fortune

Warn

Audited by Gen Agent Trust Hub on Jun 25, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of a third-party npm package named saju-fortune. This package is not from a verified or well-known service provider, introducing a dependency on unverified external code.
  • [COMMAND_EXECUTION]: The skill uses shell commands to manage the environment and execute logic, specifically instructing the agent to run npm install -g saju-fortune and piping JavaScript code into the Node.js interpreter via shell heredocs (`node
  • <<'JS'`).
  • [REMOTE_CODE_EXECUTION]: The workflow involves downloading external code and executing it dynamically. Furthermore, the skill template interpolates user-provided data (like names and birth dates) directly into a JavaScript string literal within a shell command. If the user provides input containing escape characters or quotes (e.g., ", (function(){...})(), "), it could lead to arbitrary code execution within the Node.js process.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 25, 2026, 01:40 PM
Security Audit — agent-trust-hub — saju-fortune