Skills
skills/adonis0123/adonis-skills/claude-skills-sync-init/Gen Agent Trust Hub

claude-skills-sync-init

Pass

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes local setup scripts to configure the target repository. This is the primary purpose of the skill and is implemented with several security controls:
  • Input Validation: The --script-name parameter in scripts/bootstrap-sync-skills.mjs is strictly validated against a regex pattern [A-Za-z0-9:._-]+ to prevent command injection into package.json scripts.
  • Path Sanitization: The normalizePackageScriptPath function prevents directory traversal by ensuring the generated script path stays within the project root and adheres to a single-level directory structure.
  • Safe Command Invocation: The postinstall hook injection uses a CI guard (is-ci) to prevent unexpected execution in automated environments and implements a strict duplicate check to maintain idempotency.
  • Atomic Operations: The sync logic in assets/templates/sync-llm-skills.ts uses a temporary directory and rename operations to ensure that a failure during file copying does not result in a corrupted or empty target directory.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 10, 2026, 11:14 AM