npm-scripts
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill enables npm script management as its primary function. It includes proactive security warnings in references/best-practices.md regarding the execution of untrusted code.
- [EXTERNAL_DOWNLOADS] (SAFE): All package operations involve the official npm registry and well-known, trusted community packages.
- [INDIRECT_PROMPT_INJECTION] (SAFE): The skill processes project configuration files like package.json. While this presents a potential surface for indirect injection, the risk is mitigated by the skill's intended use as a developer tool and its included security documentation. Evidence: Ingestion point is the local project package.json; Boundary markers are defined in the best-practices guide; Capability inventory includes shell execution via npm and npx; Sanitization relies on documented developer best practices.
Audit Metadata