nuxt-ui
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The script 'scripts/generate-components.ts' clones the 'nuxt/ui' repository from GitHub. While 'github.com' is a standard platform, the 'nuxt' organization is not included in the predefined list of trusted external sources, requiring verification of the source's integrity.
- [COMMAND_EXECUTION] (MEDIUM): The script utilizes 'child_process.execSync' to run git commands ('git clone' and 'git sparse-checkout'). Although the commands and URLs are hardcoded, the use of synchronous shell execution poses a risk that requires review before the script is executed in sensitive environments.
- [PROMPT_INJECTION] (LOW): The skill documentation is automatically generated from external markdown content. This creates a surface for indirect prompt injection if the source repository were to contain malicious instructions designed to influence the agent. Evidence: 1. Ingestion points: 'scripts/generate-components.ts' clones docs from GitHub. 2. Boundary markers: Absent; content is parsed and written directly. 3. Capability inventory: Skill provides UI guidance and includes a file-writing script. 4. Sanitization: Absent.
Audit Metadata