gradient-mesh
Fail
Audited by Gen Agent Trust Hub on Jun 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/install-gradient-mesh-hooks.shimplements a persistence mechanism by installing a shell script into the.git/hooks/directory. This ensures that the local scriptscripts/check-gradient-mesh.mjsis executed automatically during Git push operations, establishing a persistent execution hook within the developer's environment. - [COMMAND_EXECUTION]: The
README.mddocumentation instructs users to execute the PowerShell scriptscripts/gradient-mesh-design.ps1using the-ExecutionPolicy Bypassflag. This practice encourages users to circumvent system-level security controls designed to prevent the execution of untrusted scripts. - [EXTERNAL_DOWNLOADS]: The skill provides integration notes and references for an external GitHub repository,
DonsetPG/MeshGradientPy, which is not managed by a verified or well-known technology organization. This introduces a dependency on unvetted third-party code for asset generation. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection through its
scripts/check-gradient-mesh.mjsscript, which recursively reads the contents of local project files (CSS, JS, MD, etc.) without sanitization. Because the agent's subsequent design decisions and command executions are based on these automated findings, an attacker could embed malicious instructions within the project files to influence the agent's behavior.
Recommendations
- AI detected serious security threats
Audit Metadata