novu-connect-agent
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill executes
npx novu@latest, which fetches and runs the latest version of the Novu CLI from the npm registry. This is a vendor-authorized resource for 'novuhq'. - [COMMAND_EXECUTION]: Shell commands are used to execute the CLI tool with user-derived parameters.
- Evidence:
export NOVU_AGENT_DESCRIPTION='<confirmed agent description>'followed bynpx novu@latest connect. - Risk: While the instructions caution against using double-quoted arguments, the provided template uses single quotes, which remains vulnerable to command injection if the AI does not properly escape single quotes within the generated description.
- [PROMPT_INJECTION]: The skill analyzes local project content to generate agent configurations, creating an indirect prompt injection surface.
- Ingestion points: Project metadata files including
README.mdandpackage.json, as well as application source code. - Boundary markers: No specific delimiters or "ignore" instructions are used when reading these untrusted files.
- Capability inventory: Execution of shell commands via the
npxtool. - Sanitization: A mandatory human-in-the-loop approval step (
AskQuestion) is required, ensuring the user reviews and confirms the generated description before execution. - [CREDENTIALS_UNSAFE]: The skill provides a discouraged fallback path where users can provide Slack App Configuration Tokens or Telegram bot tokens directly in the chat session. This leads to sensitive credentials being stored in the agent's chat history, although the skill warns the user of the risk and recommends a more secure method.
Audit Metadata