bx-unsafe-evaluate
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes instructions to install the 'bx-unsafe-evaluate' module using 'install-bx-module' and 'box install'. These are legitimate package manager commands provided by the vendor for its own ecosystem.
- [REMOTE_CODE_EXECUTION]: The skill documents the 'evaluate()' function, which allows for dynamic execution of code strings. This is a powerful feature that can lead to code execution vulnerabilities if used with unvalidated user input. The documentation mitigates this risk by providing extensive security warnings, explicitly discouraging the function's use for new development, and offering safer coding alternatives like struct key access or the 'invoke()' function.
Audit Metadata