Skills
skills/958877748/skills/cocos2d-cli/Gen Agent Trust Hub

cocos2d-cli

Warn

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to fetch the cocos2d-cli package from the npm registry during execution.
  • [REMOTE_CODE_EXECUTION]: Running unverified third-party packages via npx constitutes a remote code execution risk.
  • [COMMAND_EXECUTION]: The skill executes various CLI commands to manage Cocos Creator assets, including screenshot, create-prefab, set, and get.
  • [PROMPT_INJECTION]: The process of analyzing user-provided UI screenshots to generate JSON code creates an indirect prompt injection surface. The skill lacks explicit sanitization or boundary markers when processing these external visual inputs in SKILL.md.
  • [DATA_EXFILTRATION]: The skill has the capability to read and modify local project files such as .json, .prefab, and .fire files, which is a necessary function for its stated purpose but involves direct access to project data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 17, 2026, 10:39 AM