Skills
skills/toolshell/skills/javascript-sdk/Gen Agent Trust Hub

javascript-sdk

Warn

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The documentation (specifically in references/tool-builder.md and references/agent-patterns.md) contains examples suggesting the use of the eval() function to process input for tools such as calculators. Using eval() on untrusted input is a major security risk that can lead to arbitrary code execution.
  • [COMMAND_EXECUTION]: The skill requests permission to execute node, npm, npx, yarn, and pnpm. This gives the agent broad authority to run scripts and execute system-level commands, which is dangerous if the agent encounters malicious instructions or tries to execute the insecure eval() snippets provided in the documentation.
  • [EXTERNAL_DOWNLOADS]: The skill frequently references and provides instructions for installing the @inferencesh/sdk package and other dependencies (like Express and React) from the npm registry. While standard for a developer SDK, it facilitates the download and execution of external code.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 19, 2026, 01:18 PM
Security Audit — agent-trust-hub — javascript-sdk