faf-expert
Warn
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user or agent to install several third-party Node.js packages including
faf-cliand various MCP servers (claude-faf-mcp,grok-faf-mcp,rust-faf-mcp,gemini-faf-mcp). These packages originate from an unverified source and do not match the provided author/vendor identity ('ranbot-ai'). - [REMOTE_CODE_EXECUTION]: The skill uses
npx -y claude-faf-mcp@latestto configure the MCP server. This pattern downloads and executes the latest version of an external script directly from the npm registry without version pinning, which can be a vector for supply-chain attacks if the package is compromised. - [COMMAND_EXECUTION]: The skill defines and uses several CLI commands (
faf init,faf score,faf mcp install,faf bi-sync) that involve local file system manipulation and environment configuration. Specifically,faf bi-syncis designed to modify multiple critical project configuration files (CLAUDE.md,.cursorrules,GEMINI.md,AGENTS.md) based on the content of.faffiles. - [INDIRECT_PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it processes project-level context files and synchronizes them across different tools.
- Ingestion points: Reads project identity, goals, and stack information from
.faffiles and other context markers. - Boundary markers: None identified; instructions do not specify delimiters or warnings for the agent to ignore instructions embedded in the project files.
- Capability inventory: File-write capabilities (bi-directional sync), MCP server installation, and execution of various CLI tools.
- Sanitization: No evidence of sanitization or escaping of project data before it is synchronized or used to update other context files.
Audit Metadata