npm-publish
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various CLI tools including npm, git, and bun to manage the package lifecycle, including running build scripts defined in the project's package.json.
- [COMMAND_EXECUTION]: The skill performs remote repository synchronization via git push commands.
- [PROMPT_INJECTION]: The skill processes untrusted content from local project files and git logs. Evidence: Ingestion points include package.json and git history; no boundary markers or sanitization are specified; capabilities include network publishing and repository modification.
- [SAFE]: Sensitive authentication data like npm OTPs are handled through direct user interaction and used solely for the intended publication command.
Audit Metadata