novu-connect-agent

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill executes npx novu@latest, which fetches and runs the latest version of the Novu CLI from the npm registry. This is a vendor-authorized resource for 'novuhq'.
  • [COMMAND_EXECUTION]: Shell commands are used to execute the CLI tool with user-derived parameters.
  • Evidence: export NOVU_AGENT_DESCRIPTION='<confirmed agent description>' followed by npx novu@latest connect.
  • Risk: While the instructions caution against using double-quoted arguments, the provided template uses single quotes, which remains vulnerable to command injection if the AI does not properly escape single quotes within the generated description.
  • [PROMPT_INJECTION]: The skill analyzes local project content to generate agent configurations, creating an indirect prompt injection surface.
  • Ingestion points: Project metadata files including README.md and package.json, as well as application source code.
  • Boundary markers: No specific delimiters or "ignore" instructions are used when reading these untrusted files.
  • Capability inventory: Execution of shell commands via the npx tool.
  • Sanitization: A mandatory human-in-the-loop approval step (AskQuestion) is required, ensuring the user reviews and confirms the generated description before execution.
  • [CREDENTIALS_UNSAFE]: The skill provides a discouraged fallback path where users can provide Slack App Configuration Tokens or Telegram bot tokens directly in the chat session. This leads to sensitive credentials being stored in the agent's chat history, although the skill warns the user of the risk and recommends a more secure method.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 03:07 PM
Security Audit — agent-trust-hub — novu-connect-agent