Skills
skills/anorbert-cmyk/agentic-kit/typescript-expert/Gen Agent Trust Hub

typescript-expert

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFE
Full Analysis
  • COMMAND_EXECUTION (LOW): The ts_diagnostic.py script utilizes subprocess.run(shell=True) to perform project analysis tasks such as version checking (node -v, npx tsc --version) and code searching (grep).
  • Evidence: Functions like check_versions, check_type_errors, and check_any_usage invoke a generic run_cmd wrapper.
  • Context: The commands are hardcoded and do not interpolate untrusted user input, making the risk of command injection negligible in its current form. Use of shell=True is common for utility scripts but should generally be replaced with argument lists for better security.
  • INDIRECT_PROMPT_INJECTION (LOW): The script parses local package.json and tsconfig.json files and searches files within a src/ directory.
  • Ingestion points: scripts/ts_diagnostic.py reads local JSON configuration files and directory contents.
  • Boundary markers: None (standard file reading).
  • Capability inventory: Read access to local filesystem, shell command execution for diagnostics.
  • Sanitization: The script uses json.load() for parsing, which is safe against code execution, and limits grep searches to specific extensions.
  • EXTERNAL_DOWNLOADS (SAFE): The script uses npx, which may attempt to download packages from the npm registry if they are not found locally. This is standard behavior for JavaScript development environments.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:43 PM