faf-expert

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the user or agent to install several third-party Node.js packages including faf-cli and various MCP servers (claude-faf-mcp, grok-faf-mcp, rust-faf-mcp, gemini-faf-mcp). These packages originate from an unverified source and do not match the provided author/vendor identity ('ranbot-ai').
  • [REMOTE_CODE_EXECUTION]: The skill uses npx -y claude-faf-mcp@latest to configure the MCP server. This pattern downloads and executes the latest version of an external script directly from the npm registry without version pinning, which can be a vector for supply-chain attacks if the package is compromised.
  • [COMMAND_EXECUTION]: The skill defines and uses several CLI commands (faf init, faf score, faf mcp install, faf bi-sync) that involve local file system manipulation and environment configuration. Specifically, faf bi-sync is designed to modify multiple critical project configuration files (CLAUDE.md, .cursorrules, GEMINI.md, AGENTS.md) based on the content of .faf files.
  • [INDIRECT_PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it processes project-level context files and synchronizes them across different tools.
  • Ingestion points: Reads project identity, goals, and stack information from .faf files and other context markers.
  • Boundary markers: None identified; instructions do not specify delimiters or warnings for the agent to ignore instructions embedded in the project files.
  • Capability inventory: File-write capabilities (bi-directional sync), MCP server installation, and execution of various CLI tools.
  • Sanitization: No evidence of sanitization or escaping of project data before it is synchronized or used to update other context files.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 06:23 PM
Security Audit — agent-trust-hub — faf-expert