engineering-best-practices-enforcer
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a bundled shell script
scripts/scan-quality-signals.shthat utilizesripgrep(rg) to scan for code quality signals such as@ts-ignore, ESLint markers, and potential React anti-patterns. It additionally prescribes the use ofpnpmfor verification steps (lint, typecheck, test, build). - [EXTERNAL_DOWNLOADS]: The skill includes an index of official documentation URLs for widely used libraries and frameworks including React (react.dev), TanStack (tanstack.com), TypeScript (typescriptlang.org), date-fns (date-fns.org), and Zod (zod.dev). These references are for documentation purposes and originate from well-known, trusted domains.
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection due to its core function of processing repository content.
- Ingestion points: The skill ingests untrusted data from the local repository files during code scans and reviews.
- Boundary markers: No specific delimiters or instructions to ignore embedded instructions within processed files are explicitly defined.
- Capability inventory: The skill has access to execute local scripts and standard development CLI tools (
pnpm). - Sanitization: The skill does not explicitly sanitize the content of the files it reads before presenting them to the agent for analysis.
Audit Metadata