javascript-sdk
Audited by Gen Agent Trust Hub on Feb 12, 2026
The most severe finding is the use of eval(call.args.expression) in references/tool-builder.md (lines 229, 271) within a calculator tool example. This is a direct arbitrary code execution vulnerability, as eval() executes any JavaScript code provided to it. If a user's prompt can influence call.args.expression, an attacker can execute arbitrary code on the system where the agent is running.
Further compounding the command execution risk, the SKILL.md metadata explicitly allows Bash(npm *), Bash(npx *), Bash(node *), Bash(pnpm *), and Bash(yarn *). This grants the agent broad permissions to execute shell commands, including package installations which can run arbitrary post-install scripts. The references/agent-patterns.md and references/tool-builder.md files also demonstrate enabling internalTools().codeExecution(true), which explicitly allows the agent to run code.
The skill introduces several unverifiable external dependencies. The core @inferencesh/sdk package itself, tavily/search-assistant@latest, @upstash/ratelimit, and @upstash/redis are all referenced but are not from trusted GitHub organizations. This poses a MEDIUM risk for EXTERNAL_DOWNLOADS as the integrity and security of these third-party packages cannot be guaranteed at analysis time.
Potential data exfiltration vectors exist through webhookTool examples (e.g., Slack, GitHub, generic API calls in references/tool-builder.md and SKILL.md). While intended for legitimate integrations, these can be abused to send sensitive data to external servers if a malicious prompt can control the message content. Additionally, the browser-automation example in references/sessions.md includes an action: 'screenshot' capability, which could capture and exfiltrate sensitive visual information. The skill's core file upload functionality (client.uploadFile) also presents a LOW risk for data exfiltration, as a malicious prompt could trick the agent into uploading sensitive local files.
- AI detected serious security threats